On 2013-09-03 02:33, Tim Bray wrote: > On Mon, Sep 2, 2013 at 5:28 PM, Manger, James H > <[email protected] <mailto:[email protected]>> > wrote: > > You can escape / as \/ in JSON, but you don't have to. "/" and "\/" are > both equally valid JSON strings representing the same 1-character logical > value. Any JSON parser needs to support both. > > > Yes. > > > I believe the one useful use of \/ is to escape "</script>" as > "<\/script>" when it appears as a JSON string in HTML so the HTML parser does > not misinterpret it as the end of the script. > > > No. Because \/ is just /. > > If you want \/ in your output you have to say \\/.
No, you don't. The darn JSON serializer does the escaping for you regardless if you want it or not: http://stackoverflow.com/questions/6011012/making-json-not-escape-forward-slashes Also in Android :-) > > In any case, all this escaping is done at the JSON parser level, so app-level > software doesn’t know whether the JSON textual form contained / or \/. > > Yes, if you read and re-serialize a JSON text and foolishly escape characters > here and there, you will break signatures. JSON doesn’t have a canonical > form and is not apt to get one. -T If you add an option to a JSON serializer that will cost you some 3-20 lines you may indeed produce "Canonical JSON" that is both user-friendly ("readable") and signature-adapted. Web-developers have successfully used non-escaped URLs in JavaScript since it was introduced by Netscape in the mid-90'ties. Going back to the subject line, JOSE standards apparently doesn't need any "improvements" in JSON serializers. However, it comes at a price: Obscured messages. If the "message" is just a token there's no problem to solve. For more elaborate messaging schemes like KeyGen2 and payments the situation is slightly different, particularly from a debug/documentation point-of-view. Cheers Anders > > > In a canonical form of JSON one form needs to be chosen: "/" is the best > choice; it is the choice of ECMAScript’s JSON.stringify. > JOSE does not require a canonical form so "http://example.com"; and > "http:\/\/example.com <http://example.com>" are both acceptable. I'm glad the > former is chosen for the JOSE examples. > > > > However, when looking further I note that JOSE requires some kind of > > non-standard/additional JSON normalizing before applying base64url: > > > > > http://tools.ietf.org/id/draft-ietf-jose-json-web-signature-14.html#rfc.section.5.3 > > No. The string comparison rules are just trying to be clear that JOSE > implementations are expected to compare logical string values (not JSON > serializations, which are not unique due to optional escape sequences) and > are not expected to perform any Unicode normalization, such as NFC or NFKD. > > -- > James Manger > _______________________________________________ > jose mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
