--- On Wed, 2/10/10, Paul Sandoz <Paul.Sandoz_at_Sun.COM> wrote:
...
> > Right. Wrapper I added has no extra logic, so whoever
> adds that needs to make the decision to use it or not.
> >
>
> OK. Jakub is on the case and will integrate.
Ok. This was just an FYI, since it'll take a while to get things settled anyway.
...
> > No. I have not used JSONP myself, so I did not know if
> there are fancier usage patterns (beyond simple method names
> -- I know that it could be any legal javascript expression).
> Sounds like there are. :-)
> >
>
> I am trying to find out more information but i have seen
> HTML embedded in the JSON and that needed to be escaped, but
> i cannot recall why. Jean Francois did some JSONP with
Now that you mention, I have heard of more exotic use cases.
Personally I think the whole notion (of making json automatically executable) is fishy -- it's data, just wrap it yourself -- but since there are users out there that want it, some support seems warranted.
...
> > Wrapper does use Jackson's "raw" write methods to
> bypass all quoting/escaping, so caller can pre-encode
> assumed function name, although parentheses are always
> added. But that should be safe wrt javascript expression
> (value in parenthesis is same as without).
> >
>
> OK.
One more thing: it may be that all Jersey would really need would be to use "raw" write methods, and not the wrapper. This assuming that low-level integration code has direct access to JsonGenerator.
Wrapper can still be used by users directly, if they know that underlying system is Jackson native binding.
-+ Tatu +-