Well, if you mean "terrified" as in "Ought to learn about security and
input sanitization," I agree. If you mean it as in "should never use
json/xml," then I disagree. JSON is a great way to store and move data,
especially on the web.
To summarize the security part for those new to it: Any time
I considered leaving json out of the subject line on the grounds that it's
less terrifying, but I figured anyone accepting and parsing user data in
any format who didn't already know this stuff could benefit from hearing
about it. Didn't want people to rule themselves out because "oh, I don't do
It doesn't help that plenty of tutorials, like W3Schools, mention eval()
without any qualifications about the security risks.
Kate Deibel, PhD | Web Applications Specialist
Information Technology Services
University of Washington Libraries
http://staff.washington.edu/deibel
--
"When Thor
Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious
that json.org, *created by Douglas Crockford*, mentions using eval() as a
JSON parser, though.
Best,
Eric
On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman
wrote:
> Thanks, this was interesting. But
I strongly recommend this hilarious, terrifying PyCon talk about
vulnerabilities in yaml, xml, and json processing:
https://www.youtube.com/watch?v=kjZHjvrAS74
If you process user-submitted data in these formats and don't yet know why
you should be flatly terrified, please watch this ASAP; it's
Thanks! That's really solid. I just spent $EMBARRASSINGLY_LONG_TIME
figuring out how to turn off half of Saxon's XML parsing functionality for
some of these reasons.
On Thu, Dec 17, 2015 at 9:22 AM, Andromeda Yelton <
andromeda.yel...@gmail.com> wrote:
> I strongly recommend this hilarious,
On Dec 17, 2015, at 8:22 AM, Andromeda Yelton
wrote:
> I strongly recommend this hilarious, terrifying PyCon talk about
> vulnerabilities in yaml, xml, and json processing:
>
> https://www.youtube.com/watch?v=kjZHjvrAS74
>
> If you process user-submitted data in
Thanks, this was interesting. But the JSON segment is a little less than
terrifying as it’s predicated on the misuse of eval(), which is commonly and
easily avoided.
> On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system
> wrote:
>
>
> Date:Thu, 17