Drop JSON from the language?

Robert Sayre sayrer at gmail.com
Fri Oct 12 15:26:26 PDT 2007

I think this feature might be better to add as a library. I'm working
on a patch for Mozilla that provides a native JSON implementation like
so: |new JSON()|. I had been basing the API on Bob's python simplejson
API, but it looks like Google Caja did something similar in JS, so I
might go with their method and argument names instead. It's pretty
much the same otherwise.


Note that Caja's implementation of JSON.serialize makes exactly the
same changes that have been proposed (and greeted with silence)

            For json.js, other objects can provide their own implementation
            of toJSONString(), in which case JSON serialization relies
            on these objects to return a correct JSON string. If an
            object instead returns an unbalanced part of a JSON
            string and another object returns a compensating
            unbalanced string, then an outer toJSONString() can
            produce quoting confusions that invite XSS-like
            attacks. The primary purpose of safe-json.js is to
            prevent such attacks.


Robert Sayre

"I would have written a shorter letter, but I did not have the time."

More information about the Es4-discuss mailing list