You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-dev@lucene.apache.org by "Bertrand Delacretaz (JIRA)" <ji...@apache.org> on 2006/10/18 16:07:35 UTC

[jira] Created: (SOLR-56) PATCH: JSONResponseWriter JSON result wrapper function

PATCH: JSONResponseWriter JSON result wrapper function
------------------------------------------------------

                 Key: SOLR-56
                 URL: http://issues.apache.org/jira/browse/SOLR-56
             Project: Solr
          Issue Type: Improvement
          Components: search
         Environment: Tested on macosx 10.4.8, JDK 1.5
            Reporter: Bertrand Delacretaz
            Priority: Minor


This patch adds a "json.wrf" parameter to add a wrapper function around the JSON results, for example:

  json.wrf = eatJason
  search result = eatJason({"header":{"qtime":0},...}))

The result set is sent as a parameter to eatJason instead of being sent as a plain data structure.

This is useful to work around the cross-site limitations of JSON, when a client uses code like

  var head = document.getElementsByTagName("head")[0];
  script = document.createElement('script');
  script.id = 'uploadScript';
  script.type = 'text/javascript';
  script.src = "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";
  head.appendChild(script)

  function eatJason(obj){
     ...process obj which is Solr's JSON result
  } 				

However, I'm no javascript expert, and passing an arbitrary javascript function name in the request parameters feels a bit weird...wondering if this might enable some cross-site scripting scenarios?

But the technique is well-known apparently, see:
  http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
and 
  http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html




-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (SOLR-56) PATCH: JSONResponseWriter JSON result wrapper function

Posted by "Yonik Seeley (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/SOLR-56?page=comments#action_12443348 ] 
            
Yonik Seeley commented on SOLR-56:
----------------------------------

Thanks Bertrand, interesting stuff!

Since yahoo calls the parameter "callback", should we call ours "json.callback", or do people think that name is too long?  On the other hand, wrapper function *is* more descriptive about what it does to the actual response.  I'm undecided...



> PATCH: JSONResponseWriter JSON result wrapper function
> ------------------------------------------------------
>
>                 Key: SOLR-56
>                 URL: http://issues.apache.org/jira/browse/SOLR-56
>             Project: Solr
>          Issue Type: Improvement
>          Components: search
>         Environment: Tested on macosx 10.4.8, JDK 1.5
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>         Attachments: JSONResponseWriter.wrf.patch
>
>
> This patch adds a "json.wrf" parameter to add a wrapper function around the JSON results, for example:
>   json.wrf = eatJason
>   search result = eatJason({"header":{"qtime":0},...}))
> The result set is sent as a parameter to eatJason instead of being sent as a plain data structure.
> This is useful to work around the cross-site limitations of JSON, when a client uses code like
>   var head = document.getElementsByTagName("head")[0];
>   script = document.createElement('script');
>   script.id = 'uploadScript';
>   script.type = 'text/javascript';
>   script.src = "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";
>   head.appendChild(script)
>   function eatJason(obj){
>      ...process obj which is Solr's JSON result
>   } 				
> However, I'm no javascript expert, and passing an arbitrary javascript function name in the request parameters feels a bit weird...wondering if this might enable some cross-site scripting scenarios?
> But the technique is well-known apparently, see:
>   http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
> and 
>   http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Updated: (SOLR-56) PATCH: JSONResponseWriter JSON result wrapper function

Posted by "Bertrand Delacretaz (JIRA)" <ji...@apache.org>.

     [ http://issues.apache.org/jira/browse/SOLR-56?page=all ]

Bertrand Delacretaz updated SOLR-56:
------------------------------------

    Attachment: JSONResponseWriter.wrf.patch

The patch (also includes changes from SOLR-49)

> PATCH: JSONResponseWriter JSON result wrapper function
> ------------------------------------------------------
>
>                 Key: SOLR-56
>                 URL: http://issues.apache.org/jira/browse/SOLR-56
>             Project: Solr
>          Issue Type: Improvement
>          Components: search
>         Environment: Tested on macosx 10.4.8, JDK 1.5
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>         Attachments: JSONResponseWriter.wrf.patch
>
>
> This patch adds a "json.wrf" parameter to add a wrapper function around the JSON results, for example:
>   json.wrf = eatJason
>   search result = eatJason({"header":{"qtime":0},...}))
> The result set is sent as a parameter to eatJason instead of being sent as a plain data structure.
> This is useful to work around the cross-site limitations of JSON, when a client uses code like
>   var head = document.getElementsByTagName("head")[0];
>   script = document.createElement('script');
>   script.id = 'uploadScript';
>   script.type = 'text/javascript';
>   script.src = "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";
>   head.appendChild(script)
>   function eatJason(obj){
>      ...process obj which is Solr's JSON result
>   } 				
> However, I'm no javascript expert, and passing an arbitrary javascript function name in the request parameters feels a bit weird...wondering if this might enable some cross-site scripting scenarios?
> But the technique is well-known apparently, see:
>   http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
> and 
>   http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (SOLR-56) PATCH: JSONResponseWriter JSON result wrapper function

Posted by "Bertrand Delacretaz (JIRA)" <ji...@apache.org>.

    [ http://issues.apache.org/jira/browse/SOLR-56?page=comments#action_12443352 ] 
            
Bertrand Delacretaz commented on SOLR-56:
-----------------------------------------

I though json.wrf was more in line with Solr's usual terseness in parameter names ;-)

And callback does not mean much in that context, I think wrapper function is more precise, it is what this actually does.

> PATCH: JSONResponseWriter JSON result wrapper function
> ------------------------------------------------------
>
>                 Key: SOLR-56
>                 URL: http://issues.apache.org/jira/browse/SOLR-56
>             Project: Solr
>          Issue Type: Improvement
>          Components: search
>         Environment: Tested on macosx 10.4.8, JDK 1.5
>            Reporter: Bertrand Delacretaz
>            Priority: Minor
>         Attachments: JSONResponseWriter.wrf.patch
>
>
> This patch adds a "json.wrf" parameter to add a wrapper function around the JSON results, for example:
>   json.wrf = eatJason
>   search result = eatJason({"header":{"qtime":0},...}))
> The result set is sent as a parameter to eatJason instead of being sent as a plain data structure.
> This is useful to work around the cross-site limitations of JSON, when a client uses code like
>   var head = document.getElementsByTagName("head")[0];
>   script = document.createElement('script');
>   script.id = 'uploadScript';
>   script.type = 'text/javascript';
>   script.src = "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";
>   head.appendChild(script)
>   function eatJason(obj){
>      ...process obj which is Solr's JSON result
>   } 				
> However, I'm no javascript expert, and passing an arbitrary javascript function name in the request parameters feels a bit weird...wondering if this might enable some cross-site scripting scenarios?
> But the technique is well-known apparently, see:
>   http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
> and 
>   http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Resolved: (SOLR-56) PATCH: JSONResponseWriter JSON result wrapper function

Posted by "Yonik Seeley (JIRA)" <ji...@apache.org>.

     [ http://issues.apache.org/jira/browse/SOLR-56?page=all ]

Yonik Seeley resolved SOLR-56.
------------------------------

    Resolution: Fixed
      Assignee: Yonik Seeley

Yes, it does make more sense. Committed.

> PATCH: JSONResponseWriter JSON result wrapper function
> ------------------------------------------------------
>
>                 Key: SOLR-56
>                 URL: http://issues.apache.org/jira/browse/SOLR-56
>             Project: Solr
>          Issue Type: Improvement
>          Components: search
>         Environment: Tested on macosx 10.4.8, JDK 1.5
>            Reporter: Bertrand Delacretaz
>         Assigned To: Yonik Seeley
>            Priority: Minor
>         Attachments: JSONResponseWriter.wrf.patch
>
>
> This patch adds a "json.wrf" parameter to add a wrapper function around the JSON results, for example:
>   json.wrf = eatJason
>   search result = eatJason({"header":{"qtime":0},...}))
> The result set is sent as a parameter to eatJason instead of being sent as a plain data structure.
> This is useful to work around the cross-site limitations of JSON, when a client uses code like
>   var head = document.getElementsByTagName("head")[0];
>   script = document.createElement('script');
>   script.id = 'uploadScript';
>   script.type = 'text/javascript';
>   script.src = "http://mysolrserver/solr/select?q=role:video&wt=json&json.wrf=eatJason";
>   head.appendChild(script)
>   function eatJason(obj){
>      ...process obj which is Solr's JSON result
>   } 				
> However, I'm no javascript expert, and passing an arbitrary javascript function name in the request parameters feels a bit weird...wondering if this might enable some cross-site scripting scenarios?
> But the technique is well-known apparently, see:
>   http://www.theurer.cc/blog/2005/12/15/web-services-json-dump-your-proxy/
> and 
>   http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira