[OT] is JSON all that great? - was Re: API Help

Rhodri James rhodri at kynesim.co.uk
Thu Jun 15 07:47:31 EDT 2017 

People seem to be having fun bashing XML, so I thought I'd wade in on 
its behalf.

On 15/06/17 03:46, justin walters wrote:
> There are 2 main issues with XML:
> 
> 1) It is not secure. Check this out:
> https://stackoverflow.com/questions/1906927/xml-vulnerabilities#1907500

XML and JSON share the vulnerabilities that come from having to parse 
untrusted external input.  XML then has some extra since it has extra 
flexibility, like being able to specify external resources (potential 
attack vectors) or entity substitution.  If you don't need the extra 
flexibility, feel free to use JSON, but don't for one moment think that 
makes you inherently safe.

> 2) It is large. JSON can express the same amount of information while
> using much less memory. There are many reasons for this, but the simplest
> is that JSON formatting requires less characters.

The simplest, but also the least true.  A better reason would be that 
JSON is a (fairly) simple representation while XML is complex.

> Also, there are several formal schemas to follow. The most popular is
> JSONAPI.

"The nice thing about standards is that you have so many to choose from."

> JSON is also fundamentally much simpler than XML. There are strings,
> numbers,
> arrays, and objects. That's it. It is basically a dumbed down Python
> dictionary.

In those terms, XML just has elements, attributes and character data, so 
you don't even have to worry about typing.  That's not a useful way of 
describing JSON's simplicity, though, so it's no wonder XML actually 
sounds simpler when you put it that way.

JSON is a text description of a general purpose data structure.  It's 
relatively simple, relatively easy to parse (which doesn't mean it's 
easy, I've had some stinkers of pieces of JSON to disentangle in the 
past), and maps straightforwardly to most people's data transfer needs.

XML is a text description of an annotated data structure, with 
declarative and procedural elements thrown in for extra fun.  It's 
complex, harder to parse, and doesn't have a single obvious mapping to 
most people's data transfer needs.  However when you need that extra 
flexibility, it's wonderful, and it doesn't *have* to be complex.

Of course, all this assumes you don't want the efficiency of a bespoke 
binary protocol.  Living in an embedded world, I usually do :-)

-- 
Rhodri James *-* Kynesim Ltd

More information about the Python-list mailing list