Pseudo-JSON with unquoted property names

Brendan Eich brendan at mozilla.org
Fri Jun 5 17:07:19 PDT 2009


On Jun 5, 2009, at 3:57 PM, David-Sarah Hopwood wrote:

> Only the Ruby on Rails example is two years old.
> <http://www.uize.com/reference/uize.json.html#2_2_7> and
> <http://simile.mit.edu/wiki/Exhibit/Creating,_Importing,_and_Managing_Data 
> >
> are current.

Perhaps I should have written "or otherwise flaky enough" instead of  
"and otherwise ...."


> It's a bit odd that we are on different sides of the argument than  
> usual,
> with me emphasizing the risk of incompatibility even with relatively
> sparse evidence.

Fair point. My belief is that we can get away with greater  
restrictiveness in the native JSON implementations, especially with  
the top five browsers on board (AFAICT). I can't prove it, though.


> Accepting unquoted names is pretty harmless from a security point of  
> view,
> and does not add signficant specification or implementation complexity

I agree with this much, it's not a great cost to implementors.

The usual problem in being liberal in what you accept is that it ties  
your hands forever. However, Doug asserts that JSON will never change,  
only some day be replaced. So the anti-Postel Law may not bite hard  
here if we accept but never produce unquoted identifiers as property  
names.

You hope that this leads horses using eval to water; but it may not  
make them drink. I see a lot of sunk cost fallacy out there, so people  
using json2.js will probably continue to do so. The ones motivated to  
change to native JSON are probably motivated to quote identifiers.

Do Doug and Mark share your risk-of-perpetuating-eval analysis?

/be

>



More information about the es5-discuss mailing list