1. #1
    Sencha User
    Join Date
    Apr 2008
    Posts
    330
    Vote Rating
    0
    Jack_S is on a distinguished road

      0  

    Question Ext.util.JSON.decode - eval security

    Ext.util.JSON.decode - eval security


    Hello All,

    Seems like this issue has already been talked about, but I'm still getting the eval problem with the Ext.util.JSON.decode. I suspect thsi would follow through to JsonReader etc.

    I'm trying to avoid doing all sorts of bridging between sandboxes, and would like to know if this has been addresed. I've heard talk about some Native JSON parsing but would like to know if I've missed something or is there soem workaround.

    I suppose if the eval problem resided in Json.decode, then its may also reside in the JsonReader etc.

    Thanks for any information, been searching and searching and just cannot find a solid answer on what the "solution" is.

    Thanks you

    Jack

  2. #2
    Sencha User
    Join Date
    Apr 2008
    Posts
    330
    Vote Rating
    0
    Jack_S is on a distinguished road

      0  

    Exclamation Ext Air 3.1 - JSON.decode - the definitive answer

    Ext Air 3.1 - JSON.decode - the definitive answer


    Hello All,

    I've spent much of the day roaming and reading through blogs, threads and tutorials and I'm a little lost on what the definitive answer surround Ext.util.JSON.decode is.

    I've upgraded to Ext 3.1, replaced the ext-air source with the new release(which corrects the eval) and running Air 2.0.

    But I'm still getting the same security error surround eval(). I've read about the sandbox bridging but would like to know if this is necessary or there is a definitive fix for this.

    Here is the code that is generating the error (Ajax request in form). I would appreciate a simple definitive answer on this.

    Thanks Jack

    Code:
    Ext.onReady(function(){
        Ext.QuickTips.init();
        
    	// maintain window state automatically
    	var win = new Ext.air.NativeWindow({
    		id: 'mainWindow',
    		instance: window.nativeWindow,
    		minimizeToTray: true,
    		trayIcon: 'lib/ext/resources/icons/extlogo16.png',
    		trayTip: 'Login',
    		trayMenu : [{
    			text: 'Open iApplication Center',
    			handler: function(){
    				win.activate();
    			}
    		}, '-', {
    			text: 'Exit',
    			handler: function(){
    				air.NativeApplication.nativeApplication.exit();
    			}
    		}]
    	});
    	
    	
    	var actions = {
    		login: new Ext.Action({
    			text: 'Login',
    			
    			tooltip: 'Login to iApplication Center',
    			handler: function(){
    				
    				login();
    			}
    		}),
    		
    		quit : new Ext.Action({
    			text: 'Exit',
    			handler: function(){
    				air.NativeApplication.nativeApplication.exit();
    			}
    		})
    	};
    	
      function login() {
    	
    	var username = new Ext.form.TextField({
    		fieldLabel: 'Username',
            name: 'p_t01',
            anchor: '100%',
    		tabIndex: 1,
    		allowBlank:false
        });
    	var password = new Ext.form.TextField({
    		fieldLabel: 'Password',
            name: 'p_t02',
            anchor: '100%',
    		inputType:'password',
    		allowBlank:false
        });
    	
    	var form = new Ext.FormPanel({ 
            baseCls: 'x-plain',
            labelWidth: 80,
            margins:'10 10 5 10',
            defaultType:'textfield',
    		monitorValid:true,
    	    items:[username,password]
    		,buttons:[{ 
                    text:'Login',
                    formBind: true,	 
                    handler:function(){ 
    					Ext.Ajax.request({ 
                            method:'POST', 
                            waitTitle:'Connecting', 
                            waitMsg:'Sending data...',
    						url:'http://127.0.0.1:8080/apex/wwv_flow.accept?p_arg_names=1784206358944294&p_arg_names=1784305549944295&p_flow_id=700&p_flow_step_id=101&p_request=LOGIN',
                       
    						params:{p_t01:username.getValue(),p_t02:password.getValue()},
    						success:function(response,options){ 
    
    							var json = Ext.util.JSON.decode(response.responseText);
    							Ext.Msg.alert('Login Success!', json.session_id);
    							
                            },
                            
    						failure:function(response, options){ 
                                
    							Ext.Msg.alert('Warning!', 'Authentication server is unreachable ' + response.responseText);
    							
                                form.getForm().reset(); 
                            } 
                        }); 
                    } 
                }] 
        });
    	
    	 var win = new Ext.Window({
            layout:'fit',
            width:300,
            height:150,
            closable: false,
            resizable: false,
            plain: true,
            border: false,
            items: [form]
    			});
    		
    		
    		
    		win.show();
    		
    	
    	
    	}
    	
    
    	var menus = Ext.air.SystemMenu;
    	
    	menus.add('File', [
    		actions.login,
    		actions.quit
    	]);
    	
    	menus.add('Help', [{
            text: 'About',
            handler: function(){
                Ext.air.NativeWindowManager.getAboutWindow().activate();
            }
        }]);
    
    	var mainPanel = new Ext.Panel ({
    		 region: 'center'
    		,id: 'mainPanel'
    		,html: 'welcome to iapplication center '
    		
    	});
    	
    	var viewport = new Ext.Viewport({
            layout:'border',
            items: [mainPanel]
        });
    	
    	
    	win.show();
    	win.instance.activate();
    	
    	win.on('closing', function(){
    		Ext.air.NativeWindowManager.closeAll();
    	});
    	
    	
    
    	
    	
    	
    	
    	
    	
    	
    	
    });

  3. #3
    Sencha Premium Member
    Join Date
    Oct 2009
    Location
    Germany
    Posts
    330
    Vote Rating
    1
    PranKe01 is on a distinguished road

      0  

    Default


    I'm also running Ext3.1, but never got a problem with the JSON-encode/decode functions in Air 1.5.2 and 2beta oO

  4. #4
    Sencha User
    Join Date
    Apr 2008
    Posts
    330
    Vote Rating
    0
    Jack_S is on a distinguished road

      0  

    Exclamation JSON decode eval issue with Air - still failing

    JSON decode eval issue with Air - still failing


    So I'm still fighting this eval issue.

    I've redownloaded ExtJS 3.1, Air 2.0 as well as the ext-air.js for 3.1. My question si weather or not this is because I'm using the sandbox and not the external approach of sandbox bridging?

    Thanks for any help. Been stuck on this for nearly a week and I'm simply trying to pull off the following code:

    Code:
    var json = Ext.util.JSON.decode(response.responseText);
    Ext.Msg.alert('Login Success!', json.session_id);

  5. #5
    Sencha User
    Join Date
    Apr 2008
    Posts
    330
    Vote Rating
    0
    Jack_S is on a distinguished road

      0  

    Question Ext.util.JSON.decode - use native

    Ext.util.JSON.decode - use native


    Hello All,

    I'm testing a little and I've forced extjs to use native JSON parsing by setting USE_NATIVE_JSON : true, but now I'm getting complaints that it cannot parse the response.responseText which is {"success":true, "session_id": 1510870987505949}

    Can anybody give me a clue as what I'm doing wrong?

    Thanks

    Jack

  6. #6
    Sencha - Senior Forum Manager mitchellsimoens's Avatar
    Join Date
    Mar 2007
    Location
    Gainesville, FL
    Posts
    37,015
    Vote Rating
    847
    mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute mitchellsimoens has a reputation beyond repute

      0  

    Default


    I'm going to agree with @PranKe01, I just built an app that uses Ext.util.JSON.decode/encode and it works perfectly!
    Mitchell Simoens @SenchaMitch
    Sencha Inc, Senior Forum Manager
    ________________
    Check out my GitHub, lots of nice things for Ext JS 4 and Sencha Touch 2
    https://github.com/mitchellsimoens

    Think my support is good? Get more personalized support via a support subscription. https://www.sencha.com/store/

    Need more help with your app? Hire Sencha Services services@sencha.com

    Want to learn Sencha Touch 2? Check out Sencha Touch in Action that is in print!

    When posting code, please use BBCode's CODE tags.

  7. #7
    Sencha User
    Join Date
    Apr 2008
    Posts
    330
    Vote Rating
    0
    Jack_S is on a distinguished road

      0  

    Thumbs up [SOLVED] Ext.util.JSON.decode - eval security

    [SOLVED] Ext.util.JSON.decode - eval security


    Thanks Mizzory and all others.

    I did a clean install of everything and now it works just fine. I also should have mentioned that I'm using Oracle Apex as my backend, which does have its drawbacks.

    You need to create a separate page template and strip out all of the html, otherwise in the case of the login page, it will return the correct JSON string, but also ADD all the additional HTMl tags and messages into the header, and this is where the code functionality gets broken.

    Thanks once more to all

    p.s ExtJS Awesome, Adobe Air Awesome, Oracle Apex Awesome - getting the right glue not so awesome ;-)

  8. #8
    Ext User
    Join Date
    Jul 2009
    Posts
    13
    Vote Rating
    0
    sara_762001 is on a distinguished road

      0  

    Default Ext.util.JSON.decode - eval security

    Ext.util.JSON.decode - eval security


    Hi Jack,

    I also facing the same issue in Ext.util.JSON.decode. Can you help me on this please?. What version of ext-base.js, ext-air.js and ext-all.js need to use?.

    Already i used the following version.

    1. ext-base.js - 3.1.1
    2. ext-air.js - 3.1
    3. ext-all.js - 3.1.1.

    Kind Regards
    S.Saravanan

  9. #9
    Sencha User makana's Avatar
    Join Date
    Apr 2008
    Location
    Dresden, Germany
    Posts
    527
    Vote Rating
    19
    makana has a spectacular aura about makana has a spectacular aura about

      0  

    Default


    I have to agree with @PranKe01 and @mitchellsimoens. I never got issues with JSON encoding/decoding. See post #7 and make sure you receive correct json without any html tags or additional stuff...
    Programming today is a race between software engineers striving to build bigger and better Ń–diot-proof programs, and the universe striving to produce bigger and better idiots. So far, the universe is winning. (Rick Cook)

    Enhanced ExtJS adapter for Adobe AIR

  10. #10
    Ext User
    Join Date
    Jul 2009
    Posts
    13
    Vote Rating
    0
    sara_762001 is on a distinguished road

      0  

    Default Ext.util.JSON.decode - eval security

    Ext.util.JSON.decode - eval security


    Hi Makana,

    This is my JSON, which i got it from server. In side JSON i am using some special character like (~~) to identify show grid data as hyperlink, etc.. Is it causing some problem?

    [
    [{id:'OrgName',renderer:HyperLinkLeftGridOrg,header:'Org Name',dataIndex:'OrgName'},{id:'ClientCount',renderer:HyperLinkLeftGridOrg,header:'Client Count',dataIndex:'ClientCount'}],
    [{name:'OrgName',mapping:'col1'},{name:'ClientCount',mapping:'col2'}],
    [{"col1":"ROW1DATA~~Y_","col2":"0~~Y_"},{"col1":"ROW2DATA~~N","col2":"0~~N"},{"col1":"ROW3DATA~~N","col2":"0~~N"},{"col1":"ROW4DATA~~N","col2":"0~~N"}]
    ]

    Kind Regards
    S.Saravanan