326 Part II: Developing an Ajax Library^
it would at least (at the point of this writing) have been safe. However, if for some reason
the same data is wrapped in ()s like so:({"accountNumber":"1174674826","ssn":"111-22-3333","name":"Malcolm Reynolds"})or a JSONP-style response where you invoke a function to be used like so:showResponse([{"accountNumber":"1175633775"},{"accountNumber":"2295382754"},
{"accountNumber":"3325274767"},{"accountNumber":"4174485964"},{"accountNumber":
"5295655666"},{"accountNumber":"6224583794"}]);the data can be stolen just as with the array response. The latter case is quite easy as the
hacker just needs to make their own showResponse() function that saves the data to their
site:function showResponse(accounts)
{
var data = "";
for (var i=0;i<accounts.length;i++)
data += accounts[i].accountNumber + " ";FIGURE 7-14 JSON array response stolen via CSRF