Comments (8)
@aseemk I'm not so sure that ES5 should win over JSON in this instance.
The JSONP issue can be fixed by JSONP implementations, and since JSON is an official standard and JSONP is not, the onus is on JSONP implementations to escape \u2028
and \u2029
in strings.
It may be true that not many people would be using those characters in hand-written JSON5, but what about the cases where existing JSON files are parsed as JSON5? They'll fail if they contain those characters.
I think it's more important for JSON5 to be backward compatible with JSON in this case. In other words, it's more important that JSON5 can parse JSON than that ES5 can parse JSON5. eval
is strongly discouranged, so the only other time JSON5 would be parsed as ES5 is in JSON5P (working title) implementations and when the user copies and pastes JSON5 directly into their JavaScript.
This only applies to parsing strings, however. Whether we allow those characters in comments is up for discussion. I'm leaning toward keeping the ES5 standard and rejecting them.
from json5.
-1
JSON5 is defined as JavaScript subset, not as JSON superset, so it makes sense to use it as such.
The fact that JSON is not a proper subset is creating issues (see JSONP for example - expressjs/express#1132). It would be nice if JSON5 would fix those.
from json5.
@rlidwka You make a good point. It seems that JSON5 cannot be a strict subset of JavaScript and work with all existing JSON content at the same time.
Granted, those Unicode whitespace characters probably aren't common, but it might be a rude awakening for someone who has been using those characters in JSON and then switched to JSON5.
In the end, is it more important for JSON5 to be a strict subset of JavaScript or to work with all existing JSON5 content?
from json5.
Good points guys. I wasn't aware of that issue, thanks!
Is that the only case where JSON itself isn't a strict subset of ES5? Or are there others?
If that's the only one, I agree with @rlidwka here: let's go on the side of being a subset of ES5 in this case. I don't think we should expect people to be using those characters in their hand-written JSON.
from json5.
Is that the only case where JSON itself isn't a strict subset of ES5? Or are there others?
Those two characters are the only case.
from json5.
Great points, @jordanbtucker.
Funny enough, the two unsafe chars just hit us at @fiftythree: we just had site-wide downtime this morning from user input that had them.
https://medium.com/joys-of-javascript/json-js-42a28471221d
Our context was that we take server-side JSON data and render it to client-side JS (to bootstrap client-side functionality). Bug filed with our rendering lib:
To be clear, this was programmatic JSON, not handwritten JSON5. The characters came from user input, probably copy-pasted somehow (as it didn't look malicious).
I guess this issue boils down to these questions for me:
- How often does (legitimate) JSON have these two characters?
- How often are people parsing JSON5 as JS? (Whether through JSONP,
eval
, or rendering.) - ==> How often are people parsing JSON with these legitimate characters, with JSON5, as JS?
from json5.
What if we parse \u2028
and \u2029
(perhaps with a warning) but never output those characters unescaped?
I had that idea last time I posted, but I discarded it because I didn't like having a parser that doesn't match the spec. But after your comments, I started thinking about the difference between HTML and XML parsers. Does JSON5 need to have draconian error handling like XML, or can we take a page from HTML's tag soup handling book?
In this case:
\u2028
and\u2029
are technically valid in strings in JSON5.- JSON5 will parse
\u2028
and\u2029
, and optionally give a warning. - JSON5 will escape those characters when stringified.
If you have a JSON5 file with those characters, and the contents of that file are in a variable named file
, you can call JSON5.stringify(JSON5.parse(file))
and you'll get back valid ES5 that you can inject into scripts.
And you can do the same thing if file
is regular JSON, too.
from json5.
Fixed in 35269da
from json5.
Related Issues (20)
- JSON5.parse error with `{actions: ['login']}`
- `stringify` should throw when serializing a BigInt like `JSON.stringify` does HOT 8
- Rename `master` branch to `main` HOT 1
- Explain use cases front and center HOT 3
- Module '"node_modules/json5/lib/index"' has no default export HOT 1
- Support Integers outside the range `[-(2**53)+1, (2**53)-1]` HOT 6
- SyntaxError when require()ing JSON5 file in Jest test HOT 1
- Prototype Pollution in JSON5 HOT 11
- json5 latest is now 1.0.2 on npmjs - intentional? HOT 3
- Support Template Literals using backticks? HOT 1
- Provide `exports` config in `packages.json`
- Multiline JSON doesn't multiline HOT 1
- add key property support ? HOT 1
- Add `comma-dangle` option
- Online JSON5 Editor(Formatter) is misleading? HOT 2
- Use .substring() instead of the deprecated .substr()
- Cannot stringify "\u0000"
- transitive dependency 'minimist' needs to be updated by rebuilding HOT 1
- question: commented unreachable code HOT 10
- JSON5.stringify() option: `trailingCommas` HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from json5.