
Is it safe to use JavaScript to eval JSON-like data from your own servers? - benhoyt

======
benhoyt
Scenario: I've got a page which does an Ajax request and eval()s the response.
I trust the response, because it's from our own servers (and simply contains a
dictionary). But are there any possible issues I'm forgetting?

~~~
olefoo
proxies. Is what the client receiving actually from your server and not from
something between them and you.

~~~
locust
But a malicious proxy doesn't need to insert Javascript to get your browser to
do naughty things, since it can just manipulate the upstream anyway. Not to
mention inject Javascript into HTML pages as they come down.

