Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
JSON
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Safety == JSON being a subset of JavaScript can lead to the misconception that it is safe to pass JSON texts to the JavaScript <code>[[eval]]()</code> function. This is not safe, due to certain valid JSON texts, specifically those containing {{unichar|2028|LINE SEPARATOR}} or {{unichar|2029|PARAGRAPH SEPARATOR}}, not being valid JavaScript code until JavaScript specifications were updated in 2019, and so older engines may not support it.<ref name="Magnus Holm">{{cite web|title=JSON: The JavaScript subset that isn't|url=http://timelessrepo.com/json-isnt-a-javascript-subset|publisher=Magnus Holm|access-date=16 May 2011|archive-date=May 13, 2012|archive-url=https://web.archive.org/web/20120513012409/http://timelessrepo.com/json-isnt-a-javascript-subset|url-status=dead}}</ref> To avoid the many pitfalls caused by executing arbitrary code from the Internet, a new function, {{code|lang=javascript|code=JSON.parse()}}, was first added to the fifth edition of ECMAScript,<ref>{{cite web|url=https://ecma-international.org/publications-and-standards/standards/ecma-262/|title=ECMA-262: ECMAScript Language Specification |edition=5th |date=December 2009|access-date=March 18, 2011|archive-url=https://web.archive.org/web/20110414214458/http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-262.pdf|archive-date=April 14, 2011|url-status=live|df=mdy-all}}</ref> which as of 2017 is supported by all major browsers. For non-supported browsers, an API-compatible JavaScript library is provided by [[Douglas Crockford]].<ref>{{cite web|url=https://github.com/douglascrockford/JSON-js/blob/master/json2.js|title=douglascrockford/JSON-js|website=GitHub|date=2019-08-13}}</ref> In addition, the TC39 proposal "Subsume JSON" made [[ECMAScript]] a strict JSON superset as of the language's 2019 revision.<ref name=ECMATC39>{{cite web |title=Subsume JSON: Proposal to make all JSON text valid ECMA-262 |url=https://tc39.es/proposal-json-superset/ |publisher=Ecma TC39 |access-date=27 August 2019 |date=23 August 2019}}</ref><ref name=ECMATC39Stage4>{{cite web |title=Advance to Stage 4 - tc39/proposal-json-superset |url=https://github.com/tc39/proposal-json-superset/commit/0604b6083e18fe033a1520388b8c6146bcd79e23|website=GitHub|date=May 22, 2018}}</ref> Various JSON parser implementations have suffered from [[denial-of-service attack]] and [[mass assignment vulnerability]].<ref>{{cite web |url=https://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-2013-0269/ |title=Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) |access-date=January 5, 2016}}</ref><ref>{{cite web |url=http://tools.cisco.com/security/center/viewAlert.x?alertId=31048 |title=Microsoft .NET Framework JSON Content Processing Denial of Service Vulnerability |archive-url=https://web.archive.org/web/20181106233952/http://tools.cisco.com/security/center/viewAlert.x?alertId=31048 |access-date=January 5, 2016 |archive-date=November 6, 2018}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)