undefined | Better HN

0 pointstetrep8y ago0 comments

As terrible as XML parsers can be, they've never been as bad as "XMLdoc = eval(XMLString)". I'd be more likely to trust a JSON parser not written in JavaScript than an arbitrary XML parser, but that's only because of the XML specification itself, which includes such features as including arbitrary content as specified by URLs (including local (to the parser) files!). Great ideas when you can trust your XML document, not so great otherwise.

0 comments

philsnow8y ago

modern browsers don't internally call eval(). See e.g. the definition of JSON.parse in v8: https://chromium.googlesource.com/v8/v8/+/4.3.65/src/json.js...

vsl8y ago

And modern XML parsers aren't full of vulnerabilities anymore. You're missing the point.

j / k navigate · click thread line to collapse

0 pointstetrep8y ago0 comments

0 comments

philsnow8y ago

modern browsers don't internally call eval(). See e.g. the definition of JSON.parse in v8: https://chromium.googlesource.com/v8/v8/+/4.3.65/src/json.js...

vsl8y ago

And modern XML parsers aren't full of vulnerabilities anymore. You're missing the point.

j / k navigate · click thread line to collapse