You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-dev@lucene.apache.org by "Bertrand Delacretaz (JIRA)" <ji...@apache.org> on 2006/10/18 16:07:35 UTC
[jira] Created: (SOLR-56) PATCH: JSONResponseWriter JSON result
wrapper function
PATCH: JSONResponseWriter JSON result wrapper function
------------------------------------------------------
Key: SOLR-56
URL: http://issues.apache.org/jira/browse/SOLR-56
Project: Solr
Issue Type: Improvement
Components: search
Environment: Tested on macosx 10.4.8, JDK 1.5
Reporter: Bertrand Delacretaz
Priority: Minor
This patch adds a "json.wrf" parameter to add a wrapper function around the JSON results, for example:
json.wrf = eatJason
search result = eatJason({"header":{"qtime":0},...}))
The result set is sent as a parameter to eatJason instead of being sent as a plain data structure.
This is useful to work around the cross-site limitations of JSON, when a client uses code like
var head = document.getElementsByTagName("head")[0];
script = document.createElement('script');
script.id = 'uploadScript';
script.type = 'text/javascript';
script.src = "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";
head.appendChild(script)
function eatJason(obj){
...process obj which is Solr's JSON result
}
However, I'm no javascript expert, and passing an arbitrary javascript function name in the request parameters feels a bit weird...wondering if this might enable some cross-site scripting scenarios?
But the technique is well-known apparently, see:
http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
and
http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SOLR-56) PATCH: JSONResponseWriter JSON result
wrapper function
Posted by "Yonik Seeley (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/SOLR-56?page=comments#action_12443348 ]
Yonik Seeley commented on SOLR-56:
----------------------------------
Thanks Bertrand, interesting stuff!
Since yahoo calls the parameter "callback", should we call ours "json.callback", or do people think that name is too long? On the other hand, wrapper function *is* more descriptive about what it does to the actual response. I'm undecided...
> PATCH: JSONResponseWriter JSON result wrapper function
> ------------------------------------------------------
>
> Key: SOLR-56
> URL: http://issues.apache.org/jira/browse/SOLR-56
> Project: Solr
> Issue Type: Improvement
> Components: search
> Environment: Tested on macosx 10.4.8, JDK 1.5
> Reporter: Bertrand Delacretaz
> Priority: Minor
> Attachments: JSONResponseWriter.wrf.patch
>
>
> This patch adds a "json.wrf" parameter to add a wrapper function around the JSON results, for example:
> json.wrf = eatJason
> search result = eatJason({"header":{"qtime":0},...}))
> The result set is sent as a parameter to eatJason instead of being sent as a plain data structure.
> This is useful to work around the cross-site limitations of JSON, when a client uses code like
> var head = document.getElementsByTagName("head")[0];
> script = document.createElement('script');
> script.id = 'uploadScript';
> script.type = 'text/javascript';
> script.src = "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";
> head.appendChild(script)
> function eatJason(obj){
> ...process obj which is Solr's JSON result
> }
> However, I'm no javascript expert, and passing an arbitrary javascript function name in the request parameters feels a bit weird...wondering if this might enable some cross-site scripting scenarios?
> But the technique is well-known apparently, see:
> http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
> and
> http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (SOLR-56) PATCH: JSONResponseWriter JSON result
wrapper function
Posted by "Bertrand Delacretaz (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/SOLR-56?page=all ]
Bertrand Delacretaz updated SOLR-56:
------------------------------------
Attachment: JSONResponseWriter.wrf.patch
The patch (also includes changes from SOLR-49)
> PATCH: JSONResponseWriter JSON result wrapper function
> ------------------------------------------------------
>
> Key: SOLR-56
> URL: http://issues.apache.org/jira/browse/SOLR-56
> Project: Solr
> Issue Type: Improvement
> Components: search
> Environment: Tested on macosx 10.4.8, JDK 1.5
> Reporter: Bertrand Delacretaz
> Priority: Minor
> Attachments: JSONResponseWriter.wrf.patch
>
>
> This patch adds a "json.wrf" parameter to add a wrapper function around the JSON results, for example:
> json.wrf = eatJason
> search result = eatJason({"header":{"qtime":0},...}))
> The result set is sent as a parameter to eatJason instead of being sent as a plain data structure.
> This is useful to work around the cross-site limitations of JSON, when a client uses code like
> var head = document.getElementsByTagName("head")[0];
> script = document.createElement('script');
> script.id = 'uploadScript';
> script.type = 'text/javascript';
> script.src = "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";
> head.appendChild(script)
> function eatJason(obj){
> ...process obj which is Solr's JSON result
> }
> However, I'm no javascript expert, and passing an arbitrary javascript function name in the request parameters feels a bit weird...wondering if this might enable some cross-site scripting scenarios?
> But the technique is well-known apparently, see:
> http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
> and
> http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SOLR-56) PATCH: JSONResponseWriter JSON result
wrapper function
Posted by "Bertrand Delacretaz (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/SOLR-56?page=comments#action_12443352 ]
Bertrand Delacretaz commented on SOLR-56:
-----------------------------------------
I though json.wrf was more in line with Solr's usual terseness in parameter names ;-)
And callback does not mean much in that context, I think wrapper function is more precise, it is what this actually does.
> PATCH: JSONResponseWriter JSON result wrapper function
> ------------------------------------------------------
>
> Key: SOLR-56
> URL: http://issues.apache.org/jira/browse/SOLR-56
> Project: Solr
> Issue Type: Improvement
> Components: search
> Environment: Tested on macosx 10.4.8, JDK 1.5
> Reporter: Bertrand Delacretaz
> Priority: Minor
> Attachments: JSONResponseWriter.wrf.patch
>
>
> This patch adds a "json.wrf" parameter to add a wrapper function around the JSON results, for example:
> json.wrf = eatJason
> search result = eatJason({"header":{"qtime":0},...}))
> The result set is sent as a parameter to eatJason instead of being sent as a plain data structure.
> This is useful to work around the cross-site limitations of JSON, when a client uses code like
> var head = document.getElementsByTagName("head")[0];
> script = document.createElement('script');
> script.id = 'uploadScript';
> script.type = 'text/javascript';
> script.src = "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";
> head.appendChild(script)
> function eatJason(obj){
> ...process obj which is Solr's JSON result
> }
> However, I'm no javascript expert, and passing an arbitrary javascript function name in the request parameters feels a bit weird...wondering if this might enable some cross-site scripting scenarios?
> But the technique is well-known apparently, see:
> http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
> and
> http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Resolved: (SOLR-56) PATCH: JSONResponseWriter JSON result
wrapper function
Posted by "Yonik Seeley (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/SOLR-56?page=all ]
Yonik Seeley resolved SOLR-56.
------------------------------
Resolution: Fixed
Assignee: Yonik Seeley
Yes, it does make more sense. Committed.
> PATCH: JSONResponseWriter JSON result wrapper function
> ------------------------------------------------------
>
> Key: SOLR-56
> URL: http://issues.apache.org/jira/browse/SOLR-56
> Project: Solr
> Issue Type: Improvement
> Components: search
> Environment: Tested on macosx 10.4.8, JDK 1.5
> Reporter: Bertrand Delacretaz
> Assigned To: Yonik Seeley
> Priority: Minor
> Attachments: JSONResponseWriter.wrf.patch
>
>
> This patch adds a "json.wrf" parameter to add a wrapper function around the JSON results, for example:
> json.wrf = eatJason
> search result = eatJason({"header":{"qtime":0},...}))
> The result set is sent as a parameter to eatJason instead of being sent as a plain data structure.
> This is useful to work around the cross-site limitations of JSON, when a client uses code like
> var head = document.getElementsByTagName("head")[0];
> script = document.createElement('script');
> script.id = 'uploadScript';
> script.type = 'text/javascript';
> script.src = "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";
> head.appendChild(script)
> function eatJason(obj){
> ...process obj which is Solr's JSON result
> }
> However, I'm no javascript expert, and passing an arbitrary javascript function name in the request parameters feels a bit weird...wondering if this might enable some cross-site scripting scenarios?
> But the technique is well-known apparently, see:
> http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
> and
> http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira