为什么将数据存储在JSON而不是JavaScript对象文字/初始值设定项中？ [英] Why store data in JSON rather than JavaScript object literal/initializer?

问题描述

我一直在开发Firefox插件一年。

我的最新更新已被拒绝，因为他们希望我将您的对象/模式存储不可执行的JSON文件，并通过XHR或SDK API（如果适用）加载和解析，如下例所示：

  var data = require（'sdk / self'）。data; 
 var myJSON = JSON.parse（data.load（'dir / file.json'））; 
  

我总是将数据存储在JavaScript对象初始化程序中，甚至没有收到警告。

有问题的数据目前被表示为一个或多个 object literal / initializer 表达式在我的插件中的JavaScript文件中。我是不是从外部来源获取这个数据。

这种方式有什么问题？为什么要改变？

由于这个拒绝，我上次批准的版本被损坏，无法下载。

eval（））。 >

在使用插件访问以静态形式发布的数据的上下文中，我不确定他们要防范什么。

现在这是一个无回答，但是我将它留在这里而不是删除，因为我认为下面的Mayken的评论值得保留。

I have been developing a Firefox add-on for one year.

My last update has been refused, because they want me to "store your objects/patterns in non-executable JSON files and load and parse via XHR or SDK API (if applicable), as in this example:"

var data = require('sdk/self').data;
var myJSON = JSON.parse(data.load('dir/file.json'));

I've always stored my data in JavaScript object initializers and never received even a warning.

The data in question is currently represented as one, or more, object literal/initializer expressions in a JavaScript files within my add-on. I am not obtaining this data from a source external to my add-on.

What is wrong with this way? Why should I change?

Since this refusal, my last approved version is "corrupted" and can't be downloaded.

解决方案

When dealing with an external datasource, this is a security precaution against code-injection and XSS hijacking. Always parsing incoming JSON prevents functions injected into the data by an outside actor from being executed (as they would be if you used, for instance, eval()).

In the context of accessing data that shipped in static form with your plug-in, I'm not sure what they're trying to guard against.

This is now a non-answer, but I'm leaving it here rather than deleting because I think Mayken's comment below is worth preserving.

这篇关于为什么将数据存储在JSON而不是JavaScript对象文字/初始值设定项中？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！