Why does web service return data as msg.d

Question

I found that my webmethod is returning data as

{ "d":
 [
   {"id":"1","itemtxt":"Masters"},
   {"id":"2","itemtxt":"Transactions"},
   {"id":"3","itemtxt":"Misch. Reports"}
 ]
}

If you notice, the array is named as "d". Why is that ? is there any rule for it?

For your information I am returning a list of objects (List<webitem>)

public class webitem
{
    public webitem(string kid, string kval)
    {
        this.id = kid;
        this.itemtxt = kval;
    }

    public string id { get; set;  }
    public string itemtxt { get; set; }
}

What does this "d" mean ? will it allways be same for whatever data i send from my webmethod? or it is going to change depending on my data type/class type?

EDIT

Here is the webmethod

[WebMethod]
public  List<webitem> GetSubModules(string key)
{
    string s = " order by smid";
    if (key != null)
        s = " where moduleid=" + key + s;
    return Utility.GetDDLVal("Select smid id,smname itemtxt from m_submodules "+s, null, null);
}

I can't see any `return ...` code – gdoron Apr 21 '12 at 23:30 — gdoron, Apr 21 '12 at 23:30
Updated the webmethod with return code – Deb Apr 21 '12 at 23:36 — Deb, Apr 21 '12 at 23:36

vcsjones · Accepted Answer · 2017-05-18T16:36:22.157

5

It's a bit of a security feature as part of ASP.NET. It will always be there as long as you don't change serializers. David Ward's blog (now defunct) said what it is:

This is the case with all ASMX services JSON serialized through the ASP.NET AJAX Extensions in ASP.NET 3.5. Even if you’re only returning a scalar return value, such as a string, int, or boolean, the result will always be enclosed within the “d”.

And the why:

{"d": 1 }

Is not a valid JavaScript statement, where as this:

[1]

Is.

So the wrapping of the "d" parameter prevents direct execution of the string as script. No Object or Array constructor worries.

edited May 18 '17 at 16:36

answered Apr 21 '12 at 23:44

vcsjones

138,677
31
291
286

1

`{"d":1}` is perfectly valid in JS -- so for example `{"d":console.log("Do Evil")}` executes perfectly in nodejs which is the security issue that your reference blog is explaining it is trying to prevent. Hence, the wrapping does **not** provide any security afaik. – Soren Apr 22 '12 at 03:12
[Dave Reed's comment](http://encosia.com/a-breaking-change-between-versions-of-aspnet-ajax/#comment-34045) in the linked blog post has even more details. – M4N Jun 06 '15 at 09:32
Very late response, but the security is about *json*, not *JavaScript*. The example above does not work. `JSON.parse("{\"d\":console.log(\"Do Evil\")}")`. With the array example, it is possible for it to parse successfully and result in an execution. – vcsjones Aug 25 '16 at 05:03

Why does web service return data as msg.d

1 Answers1

Linked