Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-21 Thread Chris Moschini
Well, if you mean "terrified" as in "Ought to learn about security and input sanitization," I agree. If you mean it as in "should never use json/xml," then I disagree. JSON is a great way to store and move data, especially on the web. To summarize the security part for those new to it: Any time

Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-19 Thread Andromeda Yelton
I considered leaving json out of the subject line on the grounds that it's less terrifying, but I figured anyone accepting and parsing user data in any format who didn't already know this stuff could benefit from hearing about it. Didn't want people to rule themselves out because "oh, I don't do

Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-18 Thread Katherine N. Deibel
It doesn't help that plenty of tutorials, like W3Schools, mention eval() without any qualifications about the security risks. Kate Deibel, PhD | Web Applications Specialist Information Technology Services University of Washington Libraries http://staff.washington.edu/deibel -- "When Thor

Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-18 Thread Eric Phetteplace
Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious that json.org, *created by Douglas Crockford*, mentions using eval() as a JSON parser, though. Best, Eric On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman wrote: > Thanks, this was interesting. But

[CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-17 Thread Andromeda Yelton
I strongly recommend this hilarious, terrifying PyCon talk about vulnerabilities in yaml, xml, and json processing: https://www.youtube.com/watch?v=kjZHjvrAS74 If you process user-submitted data in these formats and don't yet know why you should be flatly terrified, please watch this ASAP; it's

Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-17 Thread David Mayo
Thanks! That's really solid. I just spent $EMBARRASSINGLY_LONG_TIME figuring out how to turn off half of Saxon's XML parsing functionality for some of these reasons. On Thu, Dec 17, 2015 at 9:22 AM, Andromeda Yelton < andromeda.yel...@gmail.com> wrote: > I strongly recommend this hilarious,

Re: [CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-17 Thread Eric Lease Morgan
On Dec 17, 2015, at 8:22 AM, Andromeda Yelton wrote: > I strongly recommend this hilarious, terrifying PyCon talk about > vulnerabilities in yaml, xml, and json processing: > > https://www.youtube.com/watch?v=kjZHjvrAS74 > > If you process user-submitted data in

[CODE4LIB] yaml/xml/json, POST data, bloodcurdling terror

2015-12-17 Thread Brian Hoffman
Thanks, this was interesting. But the JSON segment is a little less than terrifying as it’s predicated on the misuse of eval(), which is commonly and easily avoided. > On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system > wrote: > > > Date:Thu, 17