Re: [xml-dev] json v. xml

• From: Elliotte Harold <elharo@...>
• To: "Nathan Young -X (natyoung - Artizen at Cisco)" <natyoung@...>
• Date: Fri, 05 Jan 2007 16:01:01 -0500

Nathan Young -X (natyoung - Artizen at Cisco) wrote:

> JS (including JSON) can be included in the page using the script tag or
> a DOM equivalent created via JS in the page.  The source from which the
> script tag pulls a file full of JS source code can point to any server.

Can this URL be dynamically created at runtime using more JavaScript?

> The fact that your page can easily get JS from untrusted sources but not
> XmlHttp content is bizzare as far as I'm concerned.  Changing browser
> policies to tighten the restrictions on the scrip tag is unlikely to
> happen.
> 

I'm not quite sure if it's possible, but I'm really tempted to write a 
proof of concept exploit that base64 encodes XML, stuffs it in JSON, 
downloads it with JSON, and then deencodes it and passes it to an XML 
parser for parsing.

Is there anyway to simply load arbitrary binary or text content from an 
arbitrary network connection in JavaScript? For instance, by setting an 
iframe URL to point to it and then grabbing it? If so, I could avoid the 
need to preencode the XML in JSON completely. :-)

-- 
Elliotte Rusty Harold  elharo@...
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/