[OT] is JSON all that great? - was Re: API Help
Chris Angelico
rosuav at gmail.com
Thu Jun 15 17:43:28 EDT 2017
On Fri, Jun 16, 2017 at 6:58 AM, Grant Edwards
<grant.b.edwards at gmail.com> wrote:
> On 2017-06-15, Erik <python at lucidity.plus.com> wrote:
>> On 15/06/17 15:10, Chris Angelico wrote:
>>> On Fri, Jun 16, 2017 at 12:00 AM, alister <alister.ware at ntlworld.com> wrote:
>>>> Json is designed to be legal Javascript code & therefore directly
>>>> executable so no parser is posible.
>>>>
>>>
>>> "no parser is possible"???
>>
>> I *think* alister meant "so it is possible to not use a parser
>> [library]" (i.e., parse the stream using JavaScript's parser via eval()
>> - though I agree with everyone else who has said this should never be done).
>
> The old operator order/precedence issue strikes again...
>
> (no parser) is possible
>
> vs.
>
> no (parser is possible)
Rewording:
JSON is a subset of JavaScript syntax, and therefore can potentially
be evaluated without a parser.
So, yeah, sure. You can create an HTML page like this:
"""<script>
var data = %s;
do_stuff_with(data);
</script>
""" % json.dumps(some_object)
Sure, nice. But if you then say "JSON is vulnerable because you can
evaluate it as JS", you're completely missing the point. Any time you
get untrusted data, you're going to get it as either a string or an
array of bytes, and either way, it's just as easy to JSON.parse() it
as to eval() it.
ChrisA
More information about the Python-list
mailing list