[OT] is JSON all that great? - was Re: API Help
alister
alister.ware at ntlworld.com
Fri Jun 16 06:58:49 EDT 2017
On Fri, 16 Jun 2017 00:10:58 +1000, Chris Angelico wrote:
> On Fri, Jun 16, 2017 at 12:00 AM, alister <alister.ware at ntlworld.com>
> wrote:
>> On Thu, 15 Jun 2017 22:27:40 +1000, Chris Angelico wrote:
>>
>>> On Thu, Jun 15, 2017 at 9:47 PM, Rhodri James <rhodri at kynesim.co.uk>
>>> wrote:
>>>>> 1) It is not secure. Check this out:
>>>>> https://stackoverflow.com/questions/1906927/xml-
>> vulnerabilities#1907500
>>>> XML and JSON share the vulnerabilities that come from having to parse
>>>> untrusted external input. XML then has some extra since it has extra
>>>> flexibility, like being able to specify external resources (potential
>>>> attack vectors) or entity substitution. If you don't need the extra
>>>> flexibility, feel free to use JSON, but don't for one moment think
>>>> that makes you inherently safe.
>>>
>>> Not sure what you mean about parsing untrusted external input. Suppose
>>> you build a web server that receives POST data formatted either JSON
>>> or XML. You take a puddle of bytes, and then proceed to decode them.
>>
>> Where it "Could" be a security issue is in Javascript.
>>
>> Json is designed to be legal Javascript code & therefore directly
>> executable so no parser is posible.
>>
>>
> "no parser is possible"???
>
> https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/
Global_Objects/JSON/parse
>
> If you're stupid enough to eval JSON instead of using JSON.parse(),
> you deserve all you get. That's not a fault with JSON.
>
> ChrisA
i meant possible to use without a parser , sorry
--
Dijkstra probably hates me
(Linus Torvalds, in kernel/sched.c)
More information about the Python-list
mailing list