Drop JSON from the language?
sayrer at gmail.com
Fri Oct 12 15:26:26 PDT 2007
I think this feature might be better to add as a library. I'm working
on a patch for Mozilla that provides a native JSON implementation like
so: |new JSON()|. I had been basing the API on Bob's python simplejson
API, but it looks like Google Caja did something similar in JS, so I
might go with their method and argument names instead. It's pretty
much the same otherwise.
Note that Caja's implementation of JSON.serialize makes exactly the
same changes that have been proposed (and greeted with silence)
For json.js, other objects can provide their own implementation
of toJSONString(), in which case JSON serialization relies
on these objects to return a correct JSON string. If an
object instead returns an unbalanced part of a JSON
string and another object returns a compensating
unbalanced string, then an outer toJSONString() can
produce quoting confusions that invite XSS-like
attacks. The primary purpose of safe-json.js is to
prevent such attacks.
"I would have written a shorter letter, but I did not have the time."
More information about the Es4-discuss