MSDN Magazine - October 2007 - (Page 45)

From a purely technical standpoint,AJAX services don’t strictly require JSON to be implemented as the data representation format. You could achieve the same result using XML, but then you would need an XML parser that can be used from JavaScript. Parsing some simple XML text in JavaScript may not be an issue, but using a full-blown parser is a different story.Performance and functionality-related issues will likely lead to the existence of numerous seemingly similar components that have little in common. And then there’s the question of whether the JavaScript XML parser will support things like namespaces, schemas, white spaces, comments, processing instructions, and so on. As I see it, for the sake of compatibility you would end up with a subset of XML limited to nodes and attributes. At that point, it is merely a matter of choosing between the angle brackets of XML and the curly brackets of JSON. Never tried SlickEdit? What’s your excuse? T 10 Reasons NOTto use SlickEdit op 1. The more I type, the better I get at it. 2. The office is so peaceful after 10PM. 3. Real programmers don’t need no fancy tools. 4. Nothing is more satisfying than formatting my code by hand. 5. I can get full disability when my Repetitive Stress Injury is severe enough. 6. I love reading library reference manuals. 7. Milestones? What are milestones? 8. Half the fun of writing code is fixing syntax errors. 9. If I finish my work on schedule they’ll just give me more to do. 10. I’d lose my parking spot if I had time to go out for lunch. Security Concerns AJAX allows for a more dynamic, interactive browsing experience. This, however, increases the surface area for common types of attacks such as cross-site scripting (XSS) and cross-site request forgery (CSRF). These types of attacks are caused by an attacker injecting script code into a Web page,generally via a URL,thereby allowing the attacker to control the Web browser— performing actions such as stealing user names and passwords or executing HTTP requests without the user’s knowledge. An attacker could, for instance, inject malicious script into the client using a dynamically created tag, allowing data to then be imported into the attacker’s Web site. In the case of a CSRF attack, the attacker could inject a script into the client, allowing the attacker to execute unauthorized service methods on another Web site by using saved authentication information (such as cookies) on the client. JSON is a powerful way to pack data and deliver it to the client. However,because JSON is considered a safe subset of the JavaScript language (it excludes assignment and invocation operations), many AJAX applications simply pass JSON strings directly to the JavaScript eval function in order to create JavaScript objects.As a result, a malformed JSON string provides a new means for an attacker to execute unauthorized script on the client. Most of these attack types rely on exploiting the GET verb on an HTTP request. Fortunately, ASP.NET AJAX Services have the GET verb disabled by default on remote services. Additionally, you can require that a special content type be set in the request: in any other case, an ASP.NET AJAX service will refuse the call. By design, any direct call made from a tag to an ASP.NET AJAX service has the wrong content type and fails. There's really only one good reason not to use SlickEdit — you've never tried it. How can we be so sure? User feedback. For 19 years we've listened to power programmers and continued to try to exceed their expectations. Our multilanguage development tools and advanced code editors are fast, powerful, and flexible — whether you're developing on Windows, Linux, UNIX, or Mac OS. Whatever your environment, SlickEdit has a tool for you. Our product suite includes SlickEdit , SlickEdit Tools for Microsoft Visual Studio 2005, and the ® SlickEdit Plug-in for Eclipse™. ® ® ® ® Services in ASP.NET AJAX WithASP.NETAJAX Extensions,you can implement script services in two ways—using a special type of ASP.NET Web services and via page methods.In the former case,you just design and build a class linked to an ASMX resource: www.slickedit.com Download a FREE trial at www.slickedit.com/trial or Cutting Edge october2007 call 1-800-934-3348. 45 http://www.slickedit.com http://www.slickedit.com/trial

Table of Contents Feed for the Digital Edition of MSDN Magazine - October 2007

Cover Contents Toolbox CLR Inside Out Basic Instincts Data Points Cutting Edge Pooled Threads WPF Threads Parallel Linq Parallel Performance Mobile Apps Test Run Foundations Windows with C++ Netting C++ .NET Matters { End Bracket } Net Nuptials

MSDN Magazine - October 2007

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.