Ajax XML issues with XSS validation

Question

While using Ajax in web applications we use XML to transfer the data between server and client. However XSS validation comes into picture, So questions are, 1. Is passing XML like this is correct? 2. Are we exposed to security issues if we turn off XSS validation? 3. Can passing Ajax request with header (content-type = application/xml) solve this problem ?

JSON is also good approach to transfer the data but that to invoke XSS. So what is correct and incorrect? Suggest some good practices. Please provide your input for the same. Thanks,

Answer 1

I prefer using JSON for this; much more lightweight than XML, and since it is a javascript object it becomes trivial to make use of the data returned in your event handler. Just be careful not to eval() your JSON object as this compromises security - see http://stackoverflow.com/questions/197769/when-is-javascripts-eval-not-evil

As for the XSS protection, it is there for good reason. I take it from your post that the client code is hosted on a different domain to the datasource? XSS protection only comes into effect if that is the case. You might want to look into JSONp which has been developed for this scenario, though it too carries it's own set of security concerns: http://en.wikipedia.org/wiki/JSON#JSONP

Hope this helps,

JS