Techly NewsGet the app

Get the latest tech news

Parsing JSON Is a Minefield (2018)


[2016-10-26] First version of the article [2016-10-28] Presentation at Soft-Shake Conference, Geneva (slides) [2016-11-01] Article and comments in The Register [2017-11-16] Presentation at Black Alps Security Conference, Yverdon (slides) [2018-03-09] Presentation at Toulouse Hacking Conference (slides) [2018-03-30] Updated this article considering RFC 8259 Feel free to comment on Hacker News (2016-10), Hacker News (2018-04) or reddit. JSON is the de facto standard when it comes to (un)serialising and exchanging data in web and mobile programming.

2014 - IETF RFC 7158 makes the specification "Standard Tracks" instead of "Informational", allows scalars (anything other than arrays and objects) such as 123 and true at the root level as ECMA does, warns about bad practices such as duplicated keys and broken Unicode strings, without explicitely forbidding them, though. JSONKitTouchJSONSBJSONCrash on nested structs.YESNOYESCrash on invalid UTF-8NONOYESParses trailing garbage `[]x`NONOYESRejects big numbersNOYESNOParses bad numbers `[0.e1]`NOYESNOTreats `0x0C FORM FEED` as white spaceNOYESNOParses non-char. While this behaviour can be fixed by setting the parse_constant options to a function that will raise an Exception as shown below, it's such an uncommon practice that I didn't use it in the tests, and let the parser erroneously parse these number constants.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of minefield

minefield

Photo of json

json

Related news:

News photo

LSON: JSON with binary in 260 lines of public domain Lua

News photo

Giving Windows total recall of everything a user does is a privacy minefield

News photo

Using Your Vector Database as a JSON (Or Relational) Datastore

« Trump joins TikTok despite seeking to ban app as president
Upgrading my Chumby 8 kernel part 10: RTC »