On Fri, 16 Jun 2017 00:10:58 +1000, Chris Angelico wrote: > On Fri, Jun 16, 2017 at 12:00 AM, alister <alister.w...@ntlworld.com> > wrote: >> On Thu, 15 Jun 2017 22:27:40 +1000, Chris Angelico wrote: >> >>> On Thu, Jun 15, 2017 at 9:47 PM, Rhodri James <rho...@kynesim.co.uk> >>> wrote: >>>>> 1) It is not secure. Check this out: >>>>> https://stackoverflow.com/questions/1906927/xml- >> vulnerabilities#1907500 >>>> XML and JSON share the vulnerabilities that come from having to parse >>>> untrusted external input. XML then has some extra since it has extra >>>> flexibility, like being able to specify external resources (potential >>>> attack vectors) or entity substitution. If you don't need the extra >>>> flexibility, feel free to use JSON, but don't for one moment think >>>> that makes you inherently safe. >>> >>> Not sure what you mean about parsing untrusted external input. Suppose >>> you build a web server that receives POST data formatted either JSON >>> or XML. You take a puddle of bytes, and then proceed to decode them. >> >> Where it "Could" be a security issue is in Javascript. >> >> Json is designed to be legal Javascript code & therefore directly >> executable so no parser is posible. >> >> > "no parser is possible"??? > > https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/ Global_Objects/JSON/parse > > If you're stupid enough to eval JSON instead of using JSON.parse(), > you deserve all you get. That's not a fault with JSON. > > ChrisA
i meant possible to use without a parser , sorry -- Dijkstra probably hates me (Linus Torvalds, in kernel/sched.c) -- https://mail.python.org/mailman/listinfo/python-list
