On Feb 12, 2010, at 7:34 PM, Tatu Saloranta wrote:
> --- On Wed, 2/10/10, Paul Sandoz <Paul.Sandoz_at_Sun.COM> wrote:
> ...
>>> Right. Wrapper I added has no extra logic, so whoever
>> adds that needs to make the decision to use it or not.
>>>
>>
>> OK. Jakub is on the case and will integrate.
>
> Ok. This was just an FYI, since it'll take a while to get things
> settled anyway.
>
OK!
> ...
>>> No. I have not used JSONP myself, so I did not know if
>> there are fancier usage patterns (beyond simple method names
>> -- I know that it could be any legal javascript expression).
>> Sounds like there are. :-)
>>>
>>
>> I am trying to find out more information but i have seen
>> HTML embedded in the JSON and that needed to be escaped, but
>> i cannot recall why. Jean Francois did some JSONP with
>
> Now that you mention, I have heard of more exotic use cases.
> Personally I think the whole notion (of making json automatically
> executable) is fishy -- it's data, just wrap it yourself -- but
> since there are users out there that want it, some support seems
> warranted.
>
Indeed.
> ...
>>> Wrapper does use Jackson's "raw" write methods to
>> bypass all quoting/escaping, so caller can pre-encode
>> assumed function name, although parentheses are always
>> added. But that should be safe wrt javascript expression
>> (value in parenthesis is same as without).
>>>
>>
>> OK.
>
> One more thing: it may be that all Jersey would really need would be
> to use "raw" write methods, and not the wrapper. This assuming that
> low-level integration code has direct access to JsonGenerator.
>
> Wrapper can still be used by users directly, if they know that
> underlying system is Jackson native binding.
>
The only thing is we still need to support compatibility with the
Jersey JAXB/JSON support for the JSONWithPadding so i am not sure if
using the raw write methods will restrict us in such function. Anyway
tis all theoretical until we start coding this.
Paul.