[OT] is JSON all that great? - was Re: API Help
alister
alister.ware at ntlworld.com
Thu Jun 15 10:00:15 EDT 2017
On Thu, 15 Jun 2017 22:27:40 +1000, Chris Angelico wrote:
> On Thu, Jun 15, 2017 at 9:47 PM, Rhodri James <rhodri at kynesim.co.uk>
> wrote:
>>> 1) It is not secure. Check this out:
>>> https://stackoverflow.com/questions/1906927/xml-
vulnerabilities#1907500
>> XML and JSON share the vulnerabilities that come from having to parse
>> untrusted external input. XML then has some extra since it has extra
>> flexibility, like being able to specify external resources (potential
>> attack vectors) or entity substitution. If you don't need the extra
>> flexibility, feel free to use JSON, but don't for one moment think that
>> makes you inherently safe.
>
> Not sure what you mean about parsing untrusted external input. Suppose
> you build a web server that receives POST data formatted either JSON or
> XML. You take a puddle of bytes, and then proceed to decode them.
Where it "Could" be a security issue is in Javascript.
Json is designed to be legal Javascript code & therefore directly
executable so no parser is posible.
if a malicious site presented JavaScript code as a Json response it could
expose the user.
hopefully no python programmer is stupid enough to simply "exec" and data
they received (whether json XML or JBCCF* )
*JBCC: Joe Blogs Custom Crap Format
--
<marcus> dunham: You know how real numbers are constructed from rational
numbers by equivalence classes of convergent sequences?
<dunham> marcus: yes.
More information about the Python-list
mailing list