JSON.stringify() has been "improved"

Anders Rundgren anders.rundgren.net at gmail.com
Mon Sep 21 05:16:12 UTC 2020


Fortunately my analysis was wrong, all systems are go!

The revised serialization deals with pathological UTF which RFC 8785 anyway outlaws.

Anders

On 2020-09-21 05:56, Anders Rundgren wrote:
> Hi ES-lovers,
> 
> I have co-authored a JSON canonicalization scheme, recently published as an RFC: https://www.rfc-editor.org/rfc/rfc8785.html
> 
> The work started with ES V6 as foundation since it made things really easy.
> 
> Serialization of quoted strings where taken "as is" from:
> https://www.ecma-international.org/ecma-262/6.0/index.html#sec-quotejsonstring
> 
> However, to my dismay it seems that this has changed in more recent ES editions:
> https://www.ecma-international.org/ecma-262/10.0/index.html#sec-quotejsonstring
> 
> That is, in V6 a smiley was serialized as any other UTF code point.
> In V10 a smiley is (AFAICT...) supposed to be serialized like \ud83d\ude00 which of course breaks canonicalization :(
> 
> Q: What was the motivation for this change?
> 
> Q: How come Chrome, Edge, and Firefox do not honor this update?
> Verification: https://cyberphone.github.io/doc/security/browser-json-canonicalization.html
> 
> Q: Does any other JSON serializer actually do this kind of transformation?
> 
> thanx,
> Anders
> 
> 



More information about the es-discuss mailing list