If a JSON response is
directly eval()??™ed, it will instantiate new arrays containing the specified data that
existing JavaScript on the client can use to refresh the DOM. Following is an example of
a client calling a zip code lookup method on the server, with the server returning JSON,
which will be executed in an eval() on the client. Note how in this example JSON is
significantly smaller than the same result in full XML. Here is the client request:
GET http://www.example.com/zipcode_lookup.jsp?city=seattle
And here is the server response:
"zipcodes" : [ "98101", "98102" ]
150 Hacking Exposed Web 2.0
Custom Serialization
AJAX toolkits are also free to use their own custom serialization format. This is because
the XMLHTTPRequest object allows developers to send data in any way they choose.
These formats vary wildly in how they look on the wire. Following is an example of a
client calling a zip code lookup method on the server with ASP.NET AJAX and the server
returning results in custom serialization. Here is the client request:
GET http://www.example.com/zipcode_lookup.jsp?city=seattle
Here is the server response:
{"Zipcodes":{"Zipcode1":"98101", "Zipcode2":"98102"}}
The next example shows a client calling a zip code lookup method on the server with
Google Web Toolkit with the server returning results custom serialization.
Pages:
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289