Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:113313
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 70310 invoked from network); 27 Feb 2021 18:43:41 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 27 Feb 2021 18:43:41 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 476F91804D1
	for <internals@lists.php.net>; Sat, 27 Feb 2021 10:33:14 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Sat, 27 Feb 2021 10:33:13 -0800 (PST)
Received: by mail-wm1-f43.google.com with SMTP id k66so10594540wmf.1
        for <internals@lists.php.net>; Sat, 27 Feb 2021 10:33:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=EYhbnOfT1UYsjNzM0kP8Q/fiwEKuXxIR2eCTCwMQVJI=;
        b=XBNNZ1MteKgVxe/77zIuRcRROy2xtcxzu0yftLvwwd4vhrA/YHUWk+Gm3EIT5TD2C0
         Uh+fEiUPM+PbGscq+0ZnCtyjCot+lK2mYI7Iwgjp3uDQgRLW0wluUdut5NxYS4G46e+w
         3SsfE/oJEjMWy8WMYRmB9KxS62X0ltCoMolyU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=EYhbnOfT1UYsjNzM0kP8Q/fiwEKuXxIR2eCTCwMQVJI=;
        b=qioFvgSlJB9uhgAVgoGqdh+NpXvertiasSnrMGBVjlCxyuSrY7xV+UX9UaucrcP6DJ
         BJOr19Fv4m7vR/qJn+AWwFTAQwzM7Kxbtb+Ks+NVWOytBLpNHB3mQWHdhXe3qTwun6km
         ZMPJIXfaUPKJF3RLAvYqFA90re2rrt3nGK0wIKMZoEQIip6ZS0kWuslRB2doXD4E+KOa
         vtre5h1Q1+3QCE/QdJNfkACwgnhqwb5HKhASHaBbflcVKkC9xFtvvKiyHQyNsCV6Dn5U
         r/+lnoCoHuvj03QUx/Kx2+gXVRgpp+aoLWuWVIMk+oe5Z9xdeNKGZV7vHOvrLV1Em/6C
         ncOA==
X-Gm-Message-State: AOAM533/BLMlEYgtwYfyZ3Og7OXNFQ2pWsJZZ8T3xdNKERoiq/yQOqOW
	4L8B5ZNKbJ2//ERfSpV8iHWWXbkJjX+B/8paRBCRHg==
X-Google-Smtp-Source: ABdhPJwHYMfrSC0/qmGGNDUkx3crsuydHkC9EBrR7O8XXhj80jS8Tfzjg08g15EtngbbXBqYtaKLaHI1pErBA9Yb9tY=
X-Received: by 2002:a1c:7519:: with SMTP id o25mr259169wmc.103.1614450790921;
 Sat, 27 Feb 2021 10:33:10 -0800 (PST)
MIME-Version: 1.0
References: <CAEdBVicUmhQO3Np8ZFDQi6q0Lkop-Baxo3sECp0ky07NCWB=ow@mail.gmail.com>
 <780576d4-f4a3-756e-2525-9744119006e3@gmail.com>
In-Reply-To: <780576d4-f4a3-756e-2525-9744119006e3@gmail.com>
Date: Sat, 27 Feb 2021 18:33:00 +0000
Message-ID: <CAFv4g+E=EDU1PqFMzAbiVDS-DVFtKguGs=8TK+dN6YRO7owBuQ@mail.gmail.com>
To: Rowan Tommins <rowan.collins@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000e6841905bc559dfc"
Subject: Re: [PHP-DEV] Support JSON With Commas and Comments (JWCC) in json_decode
From: craig@craigfrancis.co.uk (Craig Francis)

--000000000000e6841905bc559dfc
Content-Type: text/plain; charset="UTF-8"

On Tue, 23 Feb 2021 at 18:46, Rowan Tommins <rowan.collins@gmail.com> wrote:

> On 23/02/2021 18:21, Pavel Djundik via internals wrote:
> > See https://nigeltao.github.io/blog/2021/json-with-commas-comments.html
> > for more information.
> > ...
> > Perhaps this could be disabled by default and made opt-in with a
> > option flag? json_decode already supports passing in options.
>
> The risk is that this opens the gate for a complex set of "quirks flags"
> like the referenced Wuffs library



I'm not against making changes to JSON parsing, but you're right about
complexity, it can cause issues, especially if the JSON string is coming
from an un-trusted source, e.g.

https://labs.bishopfox.com/tech-blog/an-exploration-of-json-interoperability-vulnerabilities

  {
    "description": "Duplicate with comments",
    "test": 2,
    "extra": /*, "test": 1, "extra2": */
  }

Is this comment a problem (parse error), ignored so 'test' is set to 1
(assuming the duplicate key is allowed and the value is replaced), or
handled as a comment so 'test' remains with the value 2?

Craig

--000000000000e6841905bc559dfc--