Home/ Questions/Q 7841045
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T16:00:45+00:00

we are looking at using the unparseable curft approach to our json as an

  • 0

we are looking at using the unparseable curft approach to our json as an extra level of security.

In looking at the approaches, I’ve come across google’s while(1); and facebook’s for(;;); and then another mention of {}&&

I’ve seen comments surrounding the while(1); that say the 1 being numeric can get clobbered, so my approach was going to be the for(;;);.

Then I came across the {}&&, which renders the json as invalid yet it can still be parsed/eval’ed. See this article for reference: http://www.sitepen.com/blog/2008/09/25/security-in-ajax/

What are your approaches? and what do your functions look like for making the ajax call with the unparseable curft?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I just always use a root object. As noted:

    It is only possible to hijack JSON data with a root that is an array.
    When the root is a primitive, primitive values do not trigger a
    constructor. When the root is an object, it is not valid JavaScript
    syntax, and therefore can’t be parsed.

    Note that having a root primitive (e.g. your response is just 5) is not valid JSON. Section 2 of the RFC says:

    A JSON text is a serialized object or array.

      JSON-text = object / array

    This isn’t much of a burden, as I (and many sites) typically use an envelope format. E.g.:

    {
  "header": {...},
  "data": {...}
}

    or:

    {
  "status": {...},
  "data": {...}
}

    etc.

    In that case, any array would just be the value of data, so you can serve syntactically valid JSON without any hijacking risk.

    • 0