undefined | Better HN

0 pointsjcampbell112y ago0 comments

Trailing commas would make the problem worse! If you allow trailing commas then you would break json parsing in all old version of IE. The unicode line ending problem is more subtle.

I have seen people write code like (mix javascript and some templating):

    <script>
    var prefs = <%= user_prefs.to_spec_conforming_json() %>;
    ...

The above code looks okay, but if the json is just spec conforming, then you are exposed to a potential XSS attack.

Most people that write json encoders are aware of the problem, but why publish a a spec that can potentially create serious security problems?

0 comments

masklinn12y ago

> If you allow trailing commas then you would break json parsing in all old version of IE.

No, you would break the evaluation of json as javascript in old versions of IE.

Use a real parser already.

jcampbell1OP12y ago

I do use a real parser, but it is not possible for JSON-P.

zenojevski12y ago

I've always avoided JSONP, but this would seem doable. What am I missing?

    callback(JSON.parse('{ "key":"value" }'))

Or even directly parsing the string inside of the callback.

jonny_eh12y ago

Don't use JSONP.

1 more reply

ante_annum12y ago

> you would break json parsing in all old version of IE

Why do people still care about old versions of IE?

drhayes912y ago

~22% of China still uses IE6: http://www.ie6countdown.com/

Developing nations have a tendency to not use the latest and greatest. If reaching them is important for you/your product then you have to keep tracking this stuff.

zanny12y ago

> Developing nations have a tendency to not use the latest and greatest.

Attention developing nations: Chromium and Firefox are completely foss. No excuse, unless you don't have an internet connection.

In which case, what do you need a web browser for?

1 more reply

AYBABTME12y ago

And if the internet stops working for them because they use IE6, will they somehow manage to upgrade?

jcampbell1OP12y ago

IE10, IE11 in non-standards mode also don't accept trailing commas. I don't care if you accept trailing commas, but dear god, never emit them.

windsurfer12y ago

They don't, it's just convenient to make their point. Pretty much any new technology isn't directly compatible with old technology.

j / k navigate · click thread line to collapse

0 pointsjcampbell112y ago0 comments

Trailing commas would make the problem worse! If you allow trailing commas then you would break json parsing in all old version of IE. The unicode line ending problem is more subtle.

I have seen people write code like (mix javascript and some templating):

    <script>
    var prefs = <%= user_prefs.to_spec_conforming_json() %>;
    ...

The above code looks okay, but if the json is just spec conforming, then you are exposed to a potential XSS attack.

Most people that write json encoders are aware of the problem, but why publish a a spec that can potentially create serious security problems?

0 comments

masklinn12y ago

> If you allow trailing commas then you would break json parsing in all old version of IE.

No, you would break the evaluation of json as javascript in old versions of IE.

Use a real parser already.

jcampbell1OP12y ago

I do use a real parser, but it is not possible for JSON-P.

zenojevski12y ago

I've always avoided JSONP, but this would seem doable. What am I missing?

    callback(JSON.parse('{ "key":"value" }'))

Or even directly parsing the string inside of the callback.

jonny_eh12y ago

Don't use JSONP.

1 more reply

ante_annum12y ago

> you would break json parsing in all old version of IE

Why do people still care about old versions of IE?

drhayes912y ago

~22% of China still uses IE6: http://www.ie6countdown.com/

Developing nations have a tendency to not use the latest and greatest. If reaching them is important for you/your product then you have to keep tracking this stuff.

zanny12y ago

> Developing nations have a tendency to not use the latest and greatest.

Attention developing nations: Chromium and Firefox are completely foss. No excuse, unless you don't have an internet connection.

In which case, what do you need a web browser for?

1 more reply

AYBABTME12y ago

And if the internet stops working for them because they use IE6, will they somehow manage to upgrade?

jcampbell1OP12y ago

IE10, IE11 in non-standards mode also don't accept trailing commas. I don't care if you accept trailing commas, but dear god, never emit them.

windsurfer12y ago

They don't, it's just convenient to make their point. Pretty much any new technology isn't directly compatible with old technology.

j / k navigate · click thread line to collapse