[OT] is JSON all that great? - was Re: API Help
Chris Angelico
rosuav at gmail.com
Thu Jun 15 10:10:58 EDT 2017
On Fri, Jun 16, 2017 at 12:00 AM, alister <alister.ware at ntlworld.com> wrote:
> On Thu, 15 Jun 2017 22:27:40 +1000, Chris Angelico wrote:
>
>> On Thu, Jun 15, 2017 at 9:47 PM, Rhodri James <rhodri at kynesim.co.uk>
>> wrote:
>>>> 1) It is not secure. Check this out:
>>>> https://stackoverflow.com/questions/1906927/xml-
> vulnerabilities#1907500
>>> XML and JSON share the vulnerabilities that come from having to parse
>>> untrusted external input. XML then has some extra since it has extra
>>> flexibility, like being able to specify external resources (potential
>>> attack vectors) or entity substitution. If you don't need the extra
>>> flexibility, feel free to use JSON, but don't for one moment think that
>>> makes you inherently safe.
>>
>> Not sure what you mean about parsing untrusted external input. Suppose
>> you build a web server that receives POST data formatted either JSON or
>> XML. You take a puddle of bytes, and then proceed to decode them.
>
> Where it "Could" be a security issue is in Javascript.
>
> Json is designed to be legal Javascript code & therefore directly
> executable so no parser is posible.
>
"no parser is possible"???
https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse
If you're stupid enough to eval JSON instead of using JSON.parse(),
you deserve all you get. That's not a fault with JSON.
ChrisA
More information about the Python-list
mailing list