Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33557 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 65271 invoked by uid 1010); 30 Nov 2007 21:34:33 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 65256 invoked from network); 30 Nov 2007 21:34:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Nov 2007 21:34:32 -0000 Authentication-Results: pb1.pair.com smtp.mail=pollita@php.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pollita@php.net; sender-id=pass; domainkeys=good Received-SPF: pass (pb1.pair.com: domain php.net designates 140.211.166.39 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: pollita@php.net X-Host-Fingerprint: 140.211.166.39 osu1.php.net Linux 2.4/2.6 Received: from [140.211.166.39] ([140.211.166.39:53638] helo=osu1.php.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 56/B3-39456-7E180574 for ; Fri, 30 Nov 2007 16:34:32 -0500 DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws; s=mx; d=php.net; h=From:Subject:To:Date; b=eg2CDiGbexNUuEeCpSumc0LZQCTvt/8KETypYDLABo++EX6GHBDRmEbUqKC8xSEk 4CJ2ZEMRmf3v2BUecLQt6XNfPzr6PxFuBixFZoTUANNPkT948d6ZsMymoU6uwDyi Authentication-Results: osu1.php.net header.from=pollita@php.net; sender-id=neutral Authentication-Results: osu1.php.net smtp.mail=pollita@php.net; spf=neutral; sender-id=neutral Authentication-Results: osu1.php.net smtp.user=pollita; auth=pass (LOGIN) Received: from [216.145.49.21] ([216.145.49.21:48249] helo=[10.72.123.161]) by osu1.php.net (envelope-from ) (ecelerity 2.2.1.23 r(20596)) with ESMTPSA (cipher=none) id 6A/70-09330-3F180574; Fri, 30 Nov 2007 13:34:44 -0800 Message-ID: <475081DD.90404@php.net> Date: Fri, 30 Nov 2007 13:34:21 -0800 User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Stanislav Malyshev CC: omar@php.net, PHP Internals References: <474F0EE7.8020201@php.net> <474F4E47.8050506@zend.com> <474F5E12.1050404@php.net> <474F5F75.3030808@zend.com> In-Reply-To: <474F5F75.3030808@zend.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Proposed feature for json_encode() From: pollita@php.net (Sara Golemon) Stanislav Malyshev wrote: >> You're absolutely correct that this won't save us from brain-dead >> engineers, what it will save us from is broken browsers which >> misinterpret otherwise legitimate data and get broken out of their >> proper context. (Yes, I've seen browsers do exactly this, and you can >> probably guess which versions) > > Could you explain in which context? I.e. say I had a broken browser, and > some JSON data having inside it - in which context that could get > me into trouble? I can't because I don't know of any successful vectors *currently*. I also would have sworn that echoing htmlentified data was safe....until I came across a browser where it wasn't. Since I can't show you a known problem that this *will* absolutely fix, I'm not suggesting that default behavior be so paranoiac. I'm just suggesting that users have the option to apply belt-and-suspenders logic if they feel so inclined. That said, after yesterday's post I realized that it *should* be safe enough to do: $str = str_replace(array('<','>',"'", '&'), array('\\u003C','\\u003E','\\u0026','\\u0027'), json_encode($data)); That feels terribly hacky though and I'd really rather perform the escaping inside json_encode() while acting on the actual value.... just seems more appropriate to me... -Sara