IETF Logo Mail Archive

[Json] JSON in Web Pages. Was: Go JSON parser ignores the case of member names

Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 10 March 2016 10:14 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: json@ietfa.amsl.com
Delivered-To: json@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EB9212D648 for <json@ietfa.amsl.com>; Thu, 10 Mar 2016 02:14:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utWU2SS-KEqm for <json@ietfa.amsl.com>; Thu, 10 Mar 2016 02:14:16 -0800 (PST)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A1FF12D636 for <json@ietf.org>; Thu, 10 Mar 2016 02:14:16 -0800 (PST)
Received: by mail-wm0-x229.google.com with SMTP id l68so21699562wml.1 for <json@ietf.org>; Thu, 10 Mar 2016 02:14:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=3arXuVdCot1X7HrNBVSE+QQ5imCGcrr26GyWP1eV560=; b=UQta4jSF8SoQafNoAYhodoGwg+yliMPNSDly3eXfXYC/cA52/uYsnisacWcIEnaOwR TvROVwDJZ/WaFBYnep8xC03lCQrBpbdB/JfkH8LiLJE8ld8BU5bRTjQXwh57lpWU+J9g xWC3H4XDXfY2gesll2bE9NRQ6oX21xRI2qhwjFuoVcBkRh3aDoClFJFdsNONv9/lzSZU lzObmsuUgQ0pLIi60GGno+uK/Y9vatsZBsBr5fwq9XJCQQ4MhB9cXD61ye1UhwuJn7FA 6h2WScFBv/vWhUOIyt6Qw4lPuGosg3nGDAUNyg49xOzpJrnPKauwWYkHcdkhS+XSC1dP Q7DQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=3arXuVdCot1X7HrNBVSE+QQ5imCGcrr26GyWP1eV560=; b=I7bMG9KrTh4GnMqgr7hrz7X9aefxPAOUrKK3nJQz+CEao8hkOUAgLC+FovuJgNqaVz oFAMrGKGN9/rOdS+cpXeey4ctmAix+FBwwgsW7vkEku8siVPuFt8lcOJuFaD6hDzr6t1 /gLwGg+COUcFsfG5lC2gnyNZdESu3YE88tobL5LnZLoWA+11ytFquzOS0uEXlQifrHll q8LW0jAd8EGSEaVi2ut2I1NJnTXOEU46ZUWnDbev3EBYw2HRK2wsKNWTH6ku1ZdttR44 5wtzrsN0fmZpu2BNqTcNG22Y4OjUCBM7vIs9bqTwuO3lJYZfzmH9RG7GFZWJM7CsTYpj kSPQ==
X-Gm-Message-State: AD7BkJJ+K7s5PwPsNQzHZn6G1aOQmrHJDhxHAompqMACw9OUVw9s7xQ/klWP3MFyd/3byg==
X-Received: by 10.194.90.137 with SMTP id bw9mr2772112wjb.120.1457604855052; Thu, 10 Mar 2016 02:14:15 -0800 (PST)
Received: from [192.168.1.79] (83.203.130.77.rev.sfr.net. [77.130.203.83]) by smtp.googlemail.com with ESMTPSA id r62sm2752630wmd.15.2016.03.10.02.14.13 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 10 Mar 2016 02:14:13 -0800 (PST)
To: "Manger, James" <James.H.Manger@team.telstra.com>, John Cowan <cowan@mercury.ccil.org>, Rob Sayre <sayrer@gmail.com>
References: <255B9BB34FB7D647A506DC292726F6E13BBE5873A1@WSMSG3153V.srv.dir.telstra.com> <20160309012028.GQ32247@mercury.ccil.org> <CAChr6SyGoRO-CgH5cPSXLLhnqkd5kJb9XpJ-evgJ1kB=mUot9A@mail.gmail.com> <20160309213830.GB9515@mercury.ccil.org> <CAChr6SwdCcb=xd+K4J2tbDqKSmqWjEoO8DKhb1QrtG9KEo28rw@mail.gmail.com> <20160310021502.GD9515@mercury.ccil.org> <255B9BB34FB7D647A506DC292726F6E13BBE7517EF@WSMSG3153V.srv.dir.telstra.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <56E148D4.9030204@gmail.com>
Date: Thu, 10 Mar 2016 11:13:40 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E13BBE7517EF@WSMSG3153V.srv.dir.telstra.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/json/I2dF4osWAUlvax48WTxnAei3ldQ>
Cc: "json@ietf.org" <json@ietf.org>
Subject: [Json] JSON in Web Pages. Was: Go JSON parser ignores the case of member names
X-BeenThere: json@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "JavaScript Object Notation \(JSON\) WG mailing list" <json.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/json>, <mailto:json-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/json/>
List-Post: <mailto:json@ietf.org>
List-Help: <mailto:json-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/json>, <mailto:json-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2016 10:14:18 -0000

On 2016-03-10 05:55, Manger, James wrote:

> P.S. Another interesting feature of the standard JSON package in Go is that it ALWAYS escapes
> "<" as "\u003c" - as a safety feature, in case the JSON is used within HTML.

Whow James, you are a true genius for finding difficult spots!

My JSON tools have be upgraded to support JSON-serializable JavaScript objects
intended for usage in Web pages.  That's great but (of course...) I had overlooked
the case you mentioned:

<html...>

<script>

var jsonData = {
   trouble: "</script>"
};

FAIL!

That is, you really have to do as Go which fortunately have no practical implications
since an ES6 compatible serializer will anyway produce the right (normalized) result
during signature verification.  Sometimes you need a little bit of luck as well...

Anders

v2.23.0 | Report a Bug | By Email