Permit type data in the serialized JSON

[GoogleCodeExporter]

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?
GSon gson = new GSon();
MyObject ob = new MyObject();
String text = gson.toJson(ob);
MyObject copy_ob = (MyObject)gson.fromJson(text);

What version of the product are you using? On what operating system?
1.3

Please provide any additional information below.

Original issue reported on code.google.com by new.r...@gmail.com on 19 Jun 2009 at 5:41

• Merged into: #231

[GoogleCodeExporter]

While this may seem tempting, having the client JSON specify which class to 
instantiate seems to be full of 
security holes to me. Do you have a proposal on how to avoid security issues?

Original comment by inder123 on 23 Sep 2009 at 7:03

[GoogleCodeExporter]

deferred for consideration in a future release.

Original comment by inder123 on 29 Sep 2009 at 6:13

• Added labels: Milestone-Release1.5

[GoogleCodeExporter]

How about allowing new org.mypackage.ClassName in JSON input?  

We would like to use Gson as a lightweight IoC controller (we already are using 
Gson) 
as it fits our use cases better than Guice (file-based configuration rather 
than 
annotation-based dependency injection).  

Security issues can be mitigated by disabling this by default.  A method in 
GsonBuilder 
(setXXX) can activate it.

Original comment by gin...@gmail.com on 21 Feb 2010 at 8:05

[GoogleCodeExporter]

Original comment by inder123 on 1 Nov 2010 at 10:32

• Removed labels: Milestone-Release1.5

[GoogleCodeExporter]

Original comment by inder123 on 3 Nov 2010 at 1:46

• Added labels: Milestone-Undefined

[GoogleCodeExporter]

Original comment by inder123 on 3 Nov 2010 at 1:46

• Added labels: Milestone-Release1.7
• Removed labels: Milestone-Undefined

[GoogleCodeExporter]

Original comment by limpbizkit on 4 Nov 2010 at 10:44

• Changed title: Permit type data in the serialized JSON
• Changed state: Duplicate