mike wrote:
> On Sun, Dec 14, 2008 at 12:39 AM, Rasmus Lerdorf <ras...@lerdorf.com> wrote:
>
>> Eh? Read what you wrote there. If json wasn't pure javascript, how in
>> the world would eval() work on it?
>
> Sorry. I guess I meant it didn't execute by itself, but needed to be
> interpreted using something like eval and/or thrown into a variable
> before it was useful. Otherwise it's just text.
>
> I'm not sure why we had to do that workaround I previously mentioned,
> and I cannot find a repository with that old code, but nowadays
> json_encode seems to work seamlessly for all the data we exchange
> (which are strings, ints, arrays, no objects, possibly not even
> booleans) and just wanted to voice off if there was any possible
> incompatibility that may be introduced here.
>
> I'll go back in my corner now :)
I thought I explained that a few times now. JSON is defined in the RFC
as a subset of Javascript, so a "JSON Parser" doesn't need to have all
the capabilities of the javascript parser. Things break if you pass the
output of json_encode() to a JSON parser that follows the RFC to the letter.
When we do json_encode(123) we spit out just: 123
or json_encode("abc") we produce just: "abc"
this is obviously valid Javascript so both eval and direct injection
into a script block (which is the same thing) will work fine. But the
RFC says we should be wrapping either array or object notation around
it. As in [123] and ["abc"] to make it valid JSON. Direct injection
into <script>var foo = <?php echo json_encode("abc")?>;</script> will
still work, of course, the only change is that foo now becomes an array
with a single string element as opposed to just the string itself, so
making this change will break existing javascript that relies on PHP
producing unwrapped basic types.
Now, in most cases when you are passing stuff around via json, you don't
do that for a single value, so in most cases you end up passing an array
anyway, and in that case nothing changes.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
