On 2018-03-16 18:46, Mike Samuel wrote:
On Fri, Mar 16, 2018 at 1:30 PM, Anders Rundgren <[email protected]
<mailto:[email protected]>> wrote:
On 2018-03-16 18:04, Mike Samuel wrote:
It is entirely unsuitable to embedding in HTML or XML though.
IIUC, with an implementation based on this
JSON.canonicalize(JSON.stringify("</script>")) === `"</script>"` &&
JSON.canonicalize(JSON.stringify("]]>")) === `"]]>"`
I don't know what you are trying to prove here :-)
Only that canonical JSON is useful in a very narrow context.
It cannot be embedded in an HTML script tag.
It cannot be embedded in an XML or HTML foreign content context without extra
care.
If it contains a string literal that embeds a NUL it cannot be embedded in XML
period even if extra care is taken.
If we stick to browsers, JSON.canonicalize() would presumably be used with
WebCrypto, WebSocket etc.
Node.js is probably a more important target.
Related stuff:
https://tools.ietf.org/id/draft-erdtman-jose-cleartext-jws-00.html
JSON signatures without canonicalization.
The output of JSON.canonicalize would also not be in the subset of JSON
that is also a subset of JavaScript's PrimaryExpression.
JSON.canonicalize(JSON.stringify("\u2028\u2029")) ===
`"\u2028\u2029"`
It also is not suitable for use internally within systems that
internally use cstrings.
JSON.canonicalize(JSON.stringify("\u0000")) === `"\u0000"`
JSON.canonicalize() would be [almost] identical to JSON.stringify()
You're correct. Many JSON producers have a web-safe version, but the
JavaScript builtin does not.
My point is that JSON.canonicalize undoes those web-safety tweaks.
JSON.canonicalize(JSON.parse('"\u2028\u2029"')) === '"\u2028\u2029"' //
Returns true
"Emulator":
var canonicalize = function(object) {
var buffer = '';
serialize(object);
I thought canonicalize took in a string of JSON and produced the same. Am I
wrong?
Yes, it is just a variant of JSON.stringify().
"Canonicalize" to my mind means a function that returns the canonical member of
an
equivalence class given any member from that same equivalence class, so is always
'a -> 'a.
This is rather a canonicalizing serializer.
return buffer;
function serialize(object) {
if (object !== null && typeof object === 'object') {
JSON.stringify(new Date(0)) === "\"1970-01-01T00:00:00.000Z\""
because Date.prototype.toJSON exists.
If you operate as a JSON_string -> JSON_string function then you
can avoid this complexity.
if (Array.isArray(object)) {
buffer += '[';
let next = false;
object.forEach((element) => {
if (next) {
buffer += ',';
}
next = true;
serialize(element);
});
buffer += ']';
} else {
buffer += '{';
let next = false;
Object.keys(object).sort().forEach((property) => {
if (next) {
buffer += ',';
}
next = true;
buffer += JSON.stringify(property);
I think you need a symbol check here. JSON.stringify(Symbol.for('foo')) ===
undefined
buffer += ':';
serialize(object[property]);
});
buffer += '}';
}
} else {
buffer += JSON.stringify(object);
This fails to distinguish non-integral numbers from integral ones, and produces
non-standard output
when object === undefined. Again, not a problem if the input is required to be
valid JSON.
Well, a proper implementation would build on JSON.stringify() with property
sorting as the only enhancement.
}
}
};
_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss
