On Tue, Jul 16, 2013 at 1:42 AM, Burak Arslan <burak.ars...@arskom.com.tr> wrote: > On 07/15/13 13:57, Chris Angelico wrote: >> But what I meant was that the [Json] protocol itself is designed with >> security restrictions in mind. It's designed not to fetch additional >> content from the network (as XML can), > > Can you explain how parsing XML can fetch data from the network?
I haven't looked into the details, but there was one among a list of exploits that was being discussed a few months ago; it involved XML schemas, I think, and quite a few generic XML parsers could be tricked into fetching arbitrary documents. Whether this could be used for anything more serious than a document-viewed receipt or a denial of service (via latency) I don't know, but if nothing else, it's a vector that JSON simply doesn't have. ChrisA -- http://mail.python.org/mailman/listinfo/python-list
