On Fri, Jun 16, 2017 at 12:00 AM, alister <alister.w...@ntlworld.com> wrote: > On Thu, 15 Jun 2017 22:27:40 +1000, Chris Angelico wrote: > >> On Thu, Jun 15, 2017 at 9:47 PM, Rhodri James <rho...@kynesim.co.uk> >> wrote: >>>> 1) It is not secure. Check this out: >>>> https://stackoverflow.com/questions/1906927/xml- > vulnerabilities#1907500 >>> XML and JSON share the vulnerabilities that come from having to parse >>> untrusted external input. XML then has some extra since it has extra >>> flexibility, like being able to specify external resources (potential >>> attack vectors) or entity substitution. If you don't need the extra >>> flexibility, feel free to use JSON, but don't for one moment think that >>> makes you inherently safe. >> >> Not sure what you mean about parsing untrusted external input. Suppose >> you build a web server that receives POST data formatted either JSON or >> XML. You take a puddle of bytes, and then proceed to decode them. > > Where it "Could" be a security issue is in Javascript. > > Json is designed to be legal Javascript code & therefore directly > executable so no parser is posible. >
"no parser is possible"??? https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse If you're stupid enough to eval JSON instead of using JSON.parse(), you deserve all you get. That's not a fault with JSON. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
