Loading ...
Sorry, an error occurred while loading the content.

1082Re: org.json.java

Expand Messages
  • Douglas Crockford
    Jul 3, 2008
    • 0 Attachment
      --- In json@yahoogroups.com, "Tyler Close" <tyler.close@...> wrote:
      >
      > On Wed, Jul 2, 2008 at 9:08 AM, Douglas Crockford <douglas@...> wrote:
      > > It turns out that some implementations of JavaScript's eval function
      > > delete some characters before evaluation. (I hope to correct this in
      > > the next edition of the ECMAScript Standard.)
      >
      > In the meantime, does the json2.js definition of control character
      > cover all the potentially dangerous characters?

      Yes.

      > Shouldn't all JSON
      > emitters be escaping these characters, since the output might be
      > consumed by a JavaScript eval() function. Since following the RFC
      > currently results in potentially unsafe JSON output, putting the
      > control character definition on the json.org homepage seems wise.
      >
      > I wonder how many different definitions of control character are used
      > in the collection of implementations at the bottom of the JSON.org
      > homepage.

      So far this hasn't appeared to be a problem. I haven't seen
      applications flinging around a lot of the Cf characters that get
      deleted by Firefox before eval.

      For applications that need Cf characters in strings that don't want to
      have to escape them, a non-eval parser should be used, such as
      http://www.json.org/json_parse.js or
      http://www.json.org/json_parse_state.js.
    • Show all 7 messages in this topic