Skip to main content

Don't use eval to parse JSON data

Today I read about an interesting security vulnerability in Javascript's eval() function that I wasn't aware of previously (which I was naively using to parse JSON data).  Open a developer console and try this:


The code is executed! This could perhaps be used to return malformed instructions instead of JSON and do something malicious to the client.  However, try this:

JSON.parse("alert('not pwned')")

Notice that it just throws a parsing error, but of course for actual JSON it still produces the correct object.  Also, here's a relevant stackoverflow answer.


Popular posts from this blog

Using WiX to create an event source during install of a .NET framework project

Edit: so I guess I wasn't the only one confused with this stuff, as it's been my most popular post by far!  If I've helped you out or saved you some time, please let me know in the comments :)

In order for this to work, you have to add references to WixUtilExtension and WixNetFxExtension to your WiX project.  Once that's done, add this inside a <Component> element:

<Util:EventSourcexmlns:Util=""Name="EVENTSOURCEGOESHERE"Log="Application"EventMessageFile="[NETFRAMEWORK40FULLINSTALLROOTDIR]EventLogMessages.dll" />
Obviously replace EVENTSOURCEGOESHERE with your event source name.  NETFRAMEWORK40FULLINSTALLROOTDIR is a property set by the WixNetFxExtension which stores the path to the .NET framework v4 directory, but you can replace this with the corresponding property for the directory containing the relevant EventLogMessages.dll file.  So if you're using the .NET framewo…

How to make yourself a Dynamics CRM 2011 Deployment Administrator

Today I needed to deactivate one of our Dynamics organisations, but when I opened the Dynamics Deployment Manager, I received the following error:

"Only the Deployment Administrators are able to use Deployment Manager. You are not a Deployment Administrator."
Bummer. I did a bit of Googling and found this post by Ronald Lemmen (thanks for pointing me in the right direction!).  Since the Dynamics Deployment Manager is obviously checking the MSCRM_CONFIG database for this information I attached a database trace to it and found that it's executing these queries (among many others):

exec sp_executesql N'SELECT  Id, [DefaultOrganizationId], [IsDisabled], [Name]   FROM [SystemUser]   WHERE ((([Name] = @Name0)) ) AND (IsDeleted = 0) ', N'@Name0 nvarchar(41)',@Name0=N'{My windows domain account}'
exec sp_executesql N'SELECT  Id, [Name], [UniqueifierId]   FROM [SecurityRole]   WHERE ((([Name] = @Name0)) ) AND (IsDeleted = 0) ', N'@Name0 nvarchar…

Umbraco Deployment Checklist

This is primarily aimed at deploying from Visual Studio to an Azure Web App + Azure SQL database, feel free to skip bits that aren't relevant if you're doing other things.

Prerequisites for developing locally:
Visual Studio (obviously)
Ensure IIS URL Rewrite module is installed using web platform installer (other downloads from MS documentation don't seem to work)

Set up Azure:
Make a new SQL Database in Azure, take note of the server name, database name, admin login and admin password.  If you already have a server and resource group, automate with Powershell as shown below (you'll need to replace the param values):
New-AzureRmSqlDatabase -DatabaseName "UmbracoDatabase" -ServerName "TheServer" -ResourceGroupName "Whatever" -Edition "Basic"
Add your IP to the Azure SQL db firewall so Umbraco can connect to it later when running locally
Create a new Azure web app, either manually or via Powershell:
New-AzureRmWebApp -ResourceGroupName…