XML.orgXML.org
FOCUS AREAS |XML-DEV |XML.org DAILY NEWSLINK |REGISTRY |RESOURCES |ABOUT
OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]
Re: [xml-dev] Stick with XML ... JSON is a minefield of securityrisks and ambiguities

Thanks for sharing this link, Roger.  Very important, useful, and, frankly, disappointing.  Standards are *hard*, and perhaps the hardest aspect is the requirements, which must be decided and stated clearly.  Now I'm confused about the basic purpose of JSON.  I'd like to draw attention to the following passage from the same (outstanding!) paper:


Beyond the specific cases we just went through, finding out if a parser is RFC 7159 compliant or not is next to impossible because of section 9 "Parsers":

A JSON parser MUST accept all texts that conform to the JSON grammar. A JSON parser MAY accept non-JSON forms or extensions.

To this point, I perfectly understand the RFC. All grammatically correct inputs MUST be parsed, and parsers are free to accept other contents as well.

An implementation may set limits on the size of texts that it accepts. An implementation may set limits on the maximum depth of nesting. An implementation may set limits on the range and precision of numbers. An implementation may set limits on the length and character contents of strings.

All these limitations sound reasonable (except maybe the one about "character contents"), but contradict the "MUST" from the previous sentence. RFC 2119 is crystal-clear about the meaning of "MUST":

MUST - This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.


*ouch*


On 11/02/2016 07:18 AM, Costello, Roger L. wrote:

Hi Folks,

 

Excellent paper on JSON at last week’s Soft-Shake Conference in Geneva. (http://seriot.ch/parsing_json.html)

 





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index]


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 1993-2007 XML.org. This site is hosted by OASIS