Dangerous use of eval to parse unsanitized JSON
Opened this issue · 0 comments
harrysarson commented
In the integrating with a OSLC provider tutorial, javascript's eval function is used to parse json (in src/main/webapp/index.jsp line 313 function handleMessage).
I am aware that this project is not intended for anything other than an example but using eval in this way can be very dangerous as it exposes the website to cross-site scripting attacks.
Javascript has JSON support built in so there is no reason to use eval.
I suggest replacing
var results = eval("(" + json + ")");with
var results = JSON.parse(json);