Pseudo-JSON with unquoted property names
brendan at mozilla.org
Fri Jun 5 17:07:19 PDT 2009
On Jun 5, 2009, at 3:57 PM, David-Sarah Hopwood wrote:
> Only the Ruby on Rails example is two years old.
> <http://www.uize.com/reference/uize.json.html#2_2_7> and
> are current.
Perhaps I should have written "or otherwise flaky enough" instead of
"and otherwise ...."
> It's a bit odd that we are on different sides of the argument than
> with me emphasizing the risk of incompatibility even with relatively
> sparse evidence.
Fair point. My belief is that we can get away with greater
restrictiveness in the native JSON implementations, especially with
the top five browsers on board (AFAICT). I can't prove it, though.
> Accepting unquoted names is pretty harmless from a security point of
> and does not add signficant specification or implementation complexity
I agree with this much, it's not a great cost to implementors.
The usual problem in being liberal in what you accept is that it ties
your hands forever. However, Doug asserts that JSON will never change,
only some day be replaced. So the anti-Postel Law may not bite hard
here if we accept but never produce unquoted identifiers as property
You hope that this leads horses using eval to water; but it may not
make them drink. I see a lot of sunk cost fallacy out there, so people
using json2.js will probably continue to do so. The ones motivated to
change to native JSON are probably motivated to quote identifiers.
Do Doug and Mark share your risk-of-perpetuating-eval analysis?
More information about the es5-discuss