Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious that json.org, *created by Douglas Crockford*, mentions using eval() as a JSON parser, though.
Best, Eric On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman <brianjhoff...@gmail.com> wrote: > Thanks, this was interesting. But the JSON segment is a little less than > terrifying as it’s predicated on the misuse of eval(), which is commonly > and easily avoided. > > > > On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system < > lists...@listserv.nd.edu> wrote: > > > > > > Date: Thu, 17 Dec 2015 09:22:07 -0500 > > From: Andromeda Yelton <andromeda.yel...@gmail.com <mailto: > andromeda.yel...@gmail.com>> > > Subject: yaml/xml/json, POST data, bloodcurdling terror > > > > I strongly recommend this hilarious, terrifying PyCon talk about > > vulnerabilities in yaml, xml, and json processing: > > https://www.youtube.com/watch?v=kjZHjvrAS74 < > https://www.youtube.com/watch?v=kjZHjvrAS74> > > > > If you process user-submitted data in these formats and don't yet know > why > > you should be flatly terrified, please watch this ASAP; it's > illuminating. > > If you *do* know why you should be terrified, watch it anyway and giggle > > along in knowing recognition, because the talk is really very funny. > > > > -- > > Andromeda Yelton > > Board of Directors, Library & Information Technology Association: > > http://www.lita.org <http://www.lita.org/> > > http://andromedayelton.com <http://andromedayelton.com/> > > @ThatAndromeda <http://twitter.com/ThatAndromeda < > http://twitter.com/ThatAndromeda>> >
