content-handler.html

<html>
<head>
	<title>Testing JSON parsing</title>
	<script src="trunk/dojo/dojo.js"></script>
	<script>
	
		// setup the content-handler to use dojox.secure.capability or native JSON.parse
		dojo._contentHandlers.json = (function(d){ 
	
			// sanity check, load the module ...
			var tehNative = window.JSON && JSON.parse;
			!tehNative && d["require"]("dojox.secure.capability");

			// common invalid function:
			var invalid = function(e){
				console.warn("Invalid JSON caught", e);
				throw new Error(e);
			}
			
			return tehNative ? 
				// return a function to replace the content handler. Use native if available,
				// otherwise defer to the [likely slower] dx.secure.capability.validate fn
				function(xhr){ 
					try { var foo = tehNative(xhr.responseText || null); }
					catch(e){ invalid(e); return; }
					return foo;
				} : 
				function(xhr){
					try{ dojox.secure.capability.validate(xhr.responseText, [], {}); }
					catch(e){ invalid(e); return; }
					return d.fromJson(xhr.responseText);
				}
			;
			
		})(dojo);
		
		dojo.addOnLoad(function(){
			
			// load some invalid JSON (but real JS)
			dojo.xhrGet({
				url:"invalid.json",
				// file is:
				// 	{ "s":(function(){ alert("xss!"); })() }
				handleAs:"json", 
				load: function(data){
					console.log("got bad data", data);
				}
			});
			
			dojo.xhrGet({
				url:"regular.json",
				// file is:
				// { "f":"bar" }
				handleAs: "json",
				load: function(data){
					console.log("got good data", data);
				}
			})
			
		});
	</script>
	
	
</head>
<body></body>
</html>