Permit type data in the serialized JSON
Closed this issue · 7 comments
GoogleCodeExporter commented
What steps will reproduce the problem?
1.
2.
3.
What is the expected output? What do you see instead?
GSon gson = new GSon();
MyObject ob = new MyObject();
String text = gson.toJson(ob);
MyObject copy_ob = (MyObject)gson.fromJson(text);
What version of the product are you using? On what operating system?
1.3
Please provide any additional information below.
Original issue reported on code.google.com by new.r...@gmail.com
on 19 Jun 2009 at 5:41
- Merged into: #231
GoogleCodeExporter commented
While this may seem tempting, having the client JSON specify which class to
instantiate seems to be full of
security holes to me. Do you have a proposal on how to avoid security issues?
Original comment by inder123
on 23 Sep 2009 at 7:03
GoogleCodeExporter commented
deferred for consideration in a future release.
Original comment by inder123
on 29 Sep 2009 at 6:13
- Added labels: Milestone-Release1.5
GoogleCodeExporter commented
How about allowing new org.mypackage.ClassName in JSON input?
We would like to use Gson as a lightweight IoC controller (we already are using
Gson)
as it fits our use cases better than Guice (file-based configuration rather
than
annotation-based dependency injection).
Security issues can be mitigated by disabling this by default. A method in
GsonBuilder
(setXXX) can activate it.
Original comment by gin...@gmail.com
on 21 Feb 2010 at 8:05
GoogleCodeExporter commented
Original comment by inder123
on 1 Nov 2010 at 10:32
- Removed labels: Milestone-Release1.5
GoogleCodeExporter commented
Original comment by inder123
on 3 Nov 2010 at 1:46
- Added labels: Milestone-Undefined
GoogleCodeExporter commented
Original comment by inder123
on 3 Nov 2010 at 1:46
- Added labels: Milestone-Release1.7
- Removed labels: Milestone-Undefined
GoogleCodeExporter commented
Original comment by limpbizkit
on 4 Nov 2010 at 10:44
- Changed title: Permit type data in the serialized JSON
- Changed state: Duplicate