Is GWT's rpc eval() call safe?
Hey All,
I've been looking through the gwt code in an attempt to figure out
if its call to the javascript eval() function is safe on rpc
responses. So far I've seen that it natively calls the eval function
in the ClientSerializationStreamReader class with an encoded
response. Unfortunately I haven't been able to find how this response
is encoded.
I've also noticed that while the rpc response is json, it also begins
with a //OK string. Does this protect rpc calls from executing
malicious javascript, if not, what does?
Thanks in advance
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home