Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33761
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38536 invoked by uid 1010); 5 Dec 2007 19:02:06 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 38520 invoked from network); 5 Dec 2007 19:02:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Dec 2007 19:02:06 -0000
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 212.25.124.162 mail.zend.com Windows 2000 SP4, XP SP1
Received: from [212.25.124.162] ([212.25.124.162:8191] helo=mx1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B5/AF-20707-BA5F6574 for <internals@lists.php.net>; Wed, 05 Dec 2007 14:02:05 -0500
Received: from us-ex1.zend.com ([192.168.16.5]) by mx1.zend.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Wed, 5 Dec 2007 21:01:57 +0200
Received: from [192.168.16.91] ([192.168.16.91]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Wed, 5 Dec 2007 11:01:53 -0800
Message-ID: <4756F5A1.9090302@zend.com>
Date: Wed, 05 Dec 2007 11:01:53 -0800
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Sara Golemon <pollita@php.net>
CC: Rasmus Lerdorf <rasmus@lerdorf.com>, Keryx Web <webmaster@keryx.se>, 
 PHP Developers Mailing List <internals@lists.php.net>
References: <474F0EE7.8020201@php.net> <474F5F75.3030808@zend.com>	 <475081DD.90404@php.net> <4750B3CA.20405@zend.com>	 <475101FF.5080103@lerdorf.com> <475482AF.3050800@zend.com>	 <47548638.9020709@lerdorf.com> <475487D0.7050207@zend.com>	 <47549512.1000505@akbkhome.com> <4754DEA0.10105@php.net> <cd5680a20712040116o931d03exdb818ea49d2fd95c@mail.gmail.com> <47569091.3020704@keryx.se> <475692A5.7020600@lerdorf.com> <4756EC08.8040806@zend.com> <4756F48B.2070609@php.net>
In-Reply-To: <4756F48B.2070609@php.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 05 Dec 2007 19:01:53.0792 (UTC) FILETIME=[4CB68000:01C83771]
Subject: Re: [PHP-DEV] Proposed feature for json_encode()
From: stas@zend.com (Stanislav Malyshev)

> The second is the one I'm trying to address, wherein data that belongs 
> in a JS parsing context may (coincidentally) contain HTML parsable data. 
>  For *whatever* reason, this data may accidently be echoed outside of a 
> JS context, or a parsing/rendering error may lead to the browser 
> switching unexpectedly to an HTML context.  By outputting \u00XX instead 
> of <>&', the data remains valid (and syntacticly unmodified) for JS 
> parsing, but becomes impotent against exploitability in an HTML context.

Yes, I get it now, and with this in mind the feature indeed seems very 
useful. Just document it well so people would have clear understanding 
what it can and can't do - now that we seem to have good understanding 
what it is.
-- 
Stanislav Malyshev, Zend Software Architect
stas@zend.com   http://www.zend.com/
(408)253-8829   MSN: stas@zend.com