… | |
… | |
99 | |
99 | |
100 | =cut |
100 | =cut |
101 | |
101 | |
102 | package JSON::XS; |
102 | package JSON::XS; |
103 | |
103 | |
104 | no warnings; |
104 | use common::sense; |
105 | use strict; |
|
|
106 | |
105 | |
107 | our $VERSION = '2.232'; |
106 | our $VERSION = '2.27'; |
108 | our @ISA = qw(Exporter); |
107 | our @ISA = qw(Exporter); |
109 | |
108 | |
110 | our @EXPORT = qw(encode_json decode_json to_json from_json); |
109 | our @EXPORT = qw(encode_json decode_json to_json from_json); |
111 | |
110 | |
112 | sub to_json($) { |
111 | sub to_json($) { |
… | |
… | |
441 | the same JSON text (given the same overall settings). If it is disabled, |
440 | the same JSON text (given the same overall settings). If it is disabled, |
442 | the same hash might be encoded differently even if contains the same data, |
441 | the same hash might be encoded differently even if contains the same data, |
443 | as key-value pairs have no inherent ordering in Perl. |
442 | as key-value pairs have no inherent ordering in Perl. |
444 | |
443 | |
445 | This setting has no effect when decoding JSON texts. |
444 | This setting has no effect when decoding JSON texts. |
|
|
445 | |
|
|
446 | This setting has currently no effect on tied hashes. |
446 | |
447 | |
447 | =item $json = $json->allow_nonref ([$enable]) |
448 | =item $json = $json->allow_nonref ([$enable]) |
448 | |
449 | |
449 | =item $enabled = $json->get_allow_nonref |
450 | =item $enabled = $json->get_allow_nonref |
450 | |
451 | |
… | |
… | |
1209 | use JSON::XS; |
1210 | use JSON::XS; |
1210 | |
1211 | |
1211 | print encode_json [chr 0x2028]; |
1212 | print encode_json [chr 0x2028]; |
1212 | |
1213 | |
1213 | The right fix for this is to use a proper JSON parser in your javascript |
1214 | The right fix for this is to use a proper JSON parser in your javascript |
1214 | programs, and not rely on C<eval>. |
1215 | programs, and not rely on C<eval> (see for example Douglas Crockford's |
|
|
1216 | F<json2.js> parser). |
1215 | |
1217 | |
1216 | If this is not an option, you can, as a stop-gap measure, simply encode to |
1218 | If this is not an option, you can, as a stop-gap measure, simply encode to |
1217 | ASCII-only JSON: |
1219 | ASCII-only JSON: |
1218 | |
1220 | |
1219 | use JSON::XS; |
1221 | use JSON::XS; |
1220 | |
1222 | |
1221 | print JSON::XS->new->ascii->encode ([chr 0x2028]); |
1223 | print JSON::XS->new->ascii->encode ([chr 0x2028]); |
1222 | |
1224 | |
1223 | And if you are concerned about the size of the resulting JSON text, you |
1225 | Note that this will enlarge the resulting JSON text quite a bit if you |
1224 | can run some regexes to only escape U+2028 and U+2029: |
1226 | have many non-ASCII characters. You might be tempted to run some regexes |
|
|
1227 | to only escape U+2028 and U+2029, e.g.: |
1225 | |
1228 | |
1226 | use JSON::XS; |
1229 | # DO NOT USE THIS! |
1227 | |
|
|
1228 | my $json = JSON::XS->new->utf8->encode ([chr 0x2028]); |
1230 | my $json = JSON::XS->new->utf8->encode ([chr 0x2028]); |
1229 | $json =~ s/\xe2\x80\xa8/\\u2028/g; # escape U+2028 |
1231 | $json =~ s/\xe2\x80\xa8/\\u2028/g; # escape U+2028 |
1230 | $json =~ s/\xe2\x80\xa9/\\u2029/g; # escape U+2029 |
1232 | $json =~ s/\xe2\x80\xa9/\\u2029/g; # escape U+2029 |
1231 | print $json; |
1233 | print $json; |
1232 | |
1234 | |
1233 | This works because U+2028/U+2029 are not allowed outside of strings and |
1235 | Note that I<this is a bad idea>: the above only works for U+2028 and |
1234 | are not used for syntax, so replacing them unconditionally just works. |
|
|
1235 | |
|
|
1236 | Note, however, that fixing the broken JSON parser is better than working |
|
|
1237 | around it in every other generator. The above regexes should work well in |
|
|
1238 | other languages, as long as they operate on UTF-8. It is equally valid to |
|
|
1239 | replace all occurences of U+2028/2029 directly by their \\u-escaped forms |
|
|
1240 | in unicode texts, so they can simply be used to fix any parsers relying on |
|
|
1241 | C<eval> by first applying the regexes on the encoded texts. |
|
|
1242 | |
|
|
1243 | Note also that the above only works for U+2028 and U+2029 and thus |
|
|
1244 | only for fully ECMAscript-compliant parsers. Many existing javascript |
1236 | U+2029 and thus only for fully ECMAscript-compliant parsers. Many existing |
1245 | implementations misparse other characters as well. Best rely on a good |
1237 | javascript implementations, however, have issues with other characters as |
1246 | JSON parser, such as Douglas Crockfords F<json2.js>, which escapes the |
1238 | well - using C<eval> naively simply I<will> cause problems. |
1247 | above and many more problematic characters properly before passing them |
|
|
1248 | into C<eval>. |
|
|
1249 | |
1239 | |
1250 | Another problem is that some javascript implementations reserve |
1240 | Another problem is that some javascript implementations reserve |
1251 | some property names for their own purposes (which probably makes |
1241 | some property names for their own purposes (which probably makes |
1252 | them non-ECMAscript-compliant). For example, Iceweasel reserves the |
1242 | them non-ECMAscript-compliant). For example, Iceweasel reserves the |
1253 | C<__proto__> property name for it's own purposes. |
1243 | C<__proto__> property name for it's own purposes. |
… | |
… | |
1278 | my $yaml = $to_yaml->encode ($ref) . "\n"; |
1268 | my $yaml = $to_yaml->encode ($ref) . "\n"; |
1279 | |
1269 | |
1280 | This will I<usually> generate JSON texts that also parse as valid |
1270 | This will I<usually> generate JSON texts that also parse as valid |
1281 | YAML. Please note that YAML has hardcoded limits on (simple) object key |
1271 | YAML. Please note that YAML has hardcoded limits on (simple) object key |
1282 | lengths that JSON doesn't have and also has different and incompatible |
1272 | lengths that JSON doesn't have and also has different and incompatible |
1283 | unicode handling, so you should make sure that your hash keys are |
1273 | unicode character escape syntax, so you should make sure that your hash |
1284 | noticeably shorter than the 1024 "stream characters" YAML allows and that |
1274 | keys are noticeably shorter than the 1024 "stream characters" YAML allows |
1285 | you do not have characters with codepoint values outside the Unicode BMP |
1275 | and that you do not have characters with codepoint values outside the |
1286 | (basic multilingual page). YAML also does not allow C<\/> sequences in |
1276 | Unicode BMP (basic multilingual page). YAML also does not allow C<\/> |
1287 | strings (which JSON::XS does not I<currently> generate, but other JSON |
1277 | sequences in strings (which JSON::XS does not I<currently> generate, but |
1288 | generators might). |
1278 | other JSON generators might). |
1289 | |
1279 | |
1290 | There might be other incompatibilities that I am not aware of (or the YAML |
1280 | There might be other incompatibilities that I am not aware of (or the YAML |
1291 | specification has been changed yet again - it does so quite often). In |
1281 | specification has been changed yet again - it does so quite often). In |
1292 | general you should not try to generate YAML with a JSON generator or vice |
1282 | general you should not try to generate YAML with a JSON generator or vice |
1293 | versa, or try to parse JSON with a YAML parser or vice versa: chances are |
1283 | versa, or try to parse JSON with a YAML parser or vice versa: chances are |
… | |
… | |
1311 | proponents, I would kindly suggest reading the JSON spec (which is not |
1301 | proponents, I would kindly suggest reading the JSON spec (which is not |
1312 | that difficult or long) and finally make YAML compatible to it, and |
1302 | that difficult or long) and finally make YAML compatible to it, and |
1313 | educating users about the changes, instead of spreading lies about the |
1303 | educating users about the changes, instead of spreading lies about the |
1314 | real compatibility for many I<years> and trying to silence people who |
1304 | real compatibility for many I<years> and trying to silence people who |
1315 | point out that it isn't true. |
1305 | point out that it isn't true. |
|
|
1306 | |
|
|
1307 | Addendum/2009: the YAML 1.2 spec is still incomaptible with JSON, even |
|
|
1308 | though the incompatibilities have been documented (and are known to |
|
|
1309 | Brian) for many years and the spec makes explicit claims that YAML is a |
|
|
1310 | superset of JSON. It would be so easy to fix, but apparently, bullying and |
|
|
1311 | corrupting userdata is so much easier. |
1316 | |
1312 | |
1317 | =back |
1313 | =back |
1318 | |
1314 | |
1319 | |
1315 | |
1320 | =head2 SPEED |
1316 | =head2 SPEED |
… | |
… | |
1416 | information you might want to make sure that exceptions thrown by JSON::XS |
1412 | information you might want to make sure that exceptions thrown by JSON::XS |
1417 | will not end up in front of untrusted eyes. |
1413 | will not end up in front of untrusted eyes. |
1418 | |
1414 | |
1419 | If you are using JSON::XS to return packets to consumption |
1415 | If you are using JSON::XS to return packets to consumption |
1420 | by JavaScript scripts in a browser you should have a look at |
1416 | by JavaScript scripts in a browser you should have a look at |
1421 | L<http://jpsykes.com/47/practical-csrf-and-json-security> to see whether |
1417 | L<http://blog.archive.jpsykes.com/47/practical-csrf-and-json-security/> to |
1422 | you are vulnerable to some common attack vectors (which really are browser |
1418 | see whether you are vulnerable to some common attack vectors (which really |
1423 | design bugs, but it is still you who will have to deal with it, as major |
1419 | are browser design bugs, but it is still you who will have to deal with |
1424 | browser developers care only for features, not about getting security |
1420 | it, as major browser developers care only for features, not about getting |
1425 | right). |
1421 | security right). |
1426 | |
1422 | |
1427 | |
1423 | |
1428 | =head1 THREADS |
1424 | =head1 THREADS |
1429 | |
1425 | |
1430 | This module is I<not> guaranteed to be thread safe and there are no |
1426 | This module is I<not> guaranteed to be thread safe and there are no |