… | |
… | |
40 | Beginning with version 2.0 of the JSON module, when both JSON and |
40 | Beginning with version 2.0 of the JSON module, when both JSON and |
41 | JSON::XS are installed, then JSON will fall back on JSON::XS (this can be |
41 | JSON::XS are installed, then JSON will fall back on JSON::XS (this can be |
42 | overridden) with no overhead due to emulation (by inheriting constructor |
42 | overridden) with no overhead due to emulation (by inheriting constructor |
43 | and methods). If JSON::XS is not available, it will fall back to the |
43 | and methods). If JSON::XS is not available, it will fall back to the |
44 | compatible JSON::PP module as backend, so using JSON instead of JSON::XS |
44 | compatible JSON::PP module as backend, so using JSON instead of JSON::XS |
45 | gives you a portable JSON API that can be fast when you need and doesn't |
45 | gives you a portable JSON API that can be fast when you need it and |
46 | require a C compiler when that is a problem. |
46 | doesn't require a C compiler when that is a problem. |
47 | |
47 | |
48 | As this is the n-th-something JSON module on CPAN, what was the reason |
48 | As this is the n-th-something JSON module on CPAN, what was the reason |
49 | to write yet another JSON module? While it seems there are many JSON |
49 | to write yet another JSON module? While it seems there are many JSON |
50 | modules, none of them correctly handle all corner cases, and in most cases |
50 | modules, none of them correctly handle all corner cases, and in most cases |
51 | their maintainers are unresponsive, gone missing, or not listening to bug |
51 | their maintainers are unresponsive, gone missing, or not listening to bug |
… | |
… | |
101 | |
101 | |
102 | package JSON::XS; |
102 | package JSON::XS; |
103 | |
103 | |
104 | use common::sense; |
104 | use common::sense; |
105 | |
105 | |
106 | our $VERSION = 3.01; |
106 | our $VERSION = 3.04; |
107 | our @ISA = qw(Exporter); |
107 | our @ISA = qw(Exporter); |
108 | |
108 | |
109 | our @EXPORT = qw(encode_json decode_json); |
109 | our @EXPORT = qw(encode_json decode_json); |
110 | |
110 | |
111 | use Exporter; |
111 | use Exporter; |
… | |
… | |
402 | character, after which more white-space and comments are allowed. |
402 | character, after which more white-space and comments are allowed. |
403 | |
403 | |
404 | [ |
404 | [ |
405 | 1, # this comment not allowed in JSON |
405 | 1, # this comment not allowed in JSON |
406 | # neither this one... |
406 | # neither this one... |
|
|
407 | ] |
|
|
408 | |
|
|
409 | =item * literal ASCII TAB characters in strings |
|
|
410 | |
|
|
411 | Literal ASCII TAB characters are now allowed in strings (and treated as |
|
|
412 | C<\t>). |
|
|
413 | |
|
|
414 | [ |
|
|
415 | "Hello\tWorld", |
|
|
416 | "Hello<TAB>World", # literal <TAB> would not normally be allowed |
407 | ] |
417 | ] |
408 | |
418 | |
409 | =back |
419 | =back |
410 | |
420 | |
411 | =item $json = $json->canonical ([$enable]) |
421 | =item $json = $json->canonical ([$enable]) |
… | |
… | |
687 | |
697 | |
688 | This is useful if your JSON texts are not delimited by an outer protocol |
698 | This is useful if your JSON texts are not delimited by an outer protocol |
689 | and you need to know where the JSON text ends. |
699 | and you need to know where the JSON text ends. |
690 | |
700 | |
691 | JSON::XS->new->decode_prefix ("[1] the tail") |
701 | JSON::XS->new->decode_prefix ("[1] the tail") |
692 | => ([], 3) |
702 | => ([1], 3) |
693 | |
703 | |
694 | =back |
704 | =back |
695 | |
705 | |
696 | |
706 | |
697 | =head1 INCREMENTAL PARSING |
707 | =head1 INCREMENTAL PARSING |
… | |
… | |
738 | C<incr_skip> to skip the erroneous part). This is the most common way of |
748 | C<incr_skip> to skip the erroneous part). This is the most common way of |
739 | using the method. |
749 | using the method. |
740 | |
750 | |
741 | And finally, in list context, it will try to extract as many objects |
751 | And finally, in list context, it will try to extract as many objects |
742 | from the stream as it can find and return them, or the empty list |
752 | from the stream as it can find and return them, or the empty list |
743 | otherwise. For this to work, there must be no separators between the JSON |
753 | otherwise. For this to work, there must be no separators (other than |
744 | objects or arrays, instead they must be concatenated back-to-back. If |
754 | whitespace) between the JSON objects or arrays, instead they must be |
745 | an error occurs, an exception will be raised as in the scalar context |
755 | concatenated back-to-back. If an error occurs, an exception will be |
746 | case. Note that in this case, any previously-parsed JSON texts will be |
756 | raised as in the scalar context case. Note that in this case, any |
747 | lost. |
757 | previously-parsed JSON texts will be lost. |
748 | |
758 | |
749 | Example: Parse some JSON arrays/objects in a given string and return |
759 | Example: Parse some JSON arrays/objects in a given string and return |
750 | them. |
760 | them. |
751 | |
761 | |
752 | my @objs = JSON::XS->new->incr_parse ("[5][7][1,2]"); |
762 | my @objs = JSON::XS->new->incr_parse ("[5][7][1,2]"); |
… | |
… | |
758 | C<incr_parse> in I<scalar context> successfully returned an object. Under |
768 | C<incr_parse> in I<scalar context> successfully returned an object. Under |
759 | all other circumstances you must not call this function (I mean it. |
769 | all other circumstances you must not call this function (I mean it. |
760 | although in simple tests it might actually work, it I<will> fail under |
770 | although in simple tests it might actually work, it I<will> fail under |
761 | real world conditions). As a special exception, you can also call this |
771 | real world conditions). As a special exception, you can also call this |
762 | method before having parsed anything. |
772 | method before having parsed anything. |
|
|
773 | |
|
|
774 | That means you can only use this function to look at or manipulate text |
|
|
775 | before or after complete JSON objects, not while the parser is in the |
|
|
776 | middle of parsing a JSON object. |
763 | |
777 | |
764 | This function is useful in two cases: a) finding the trailing text after a |
778 | This function is useful in two cases: a) finding the trailing text after a |
765 | JSON object or b) parsing multiple JSON objects separated by non-JSON text |
779 | JSON object or b) parsing multiple JSON objects separated by non-JSON text |
766 | (such as commas). |
780 | (such as commas). |
767 | |
781 | |
… | |
… | |
1553 | are browser design bugs, but it is still you who will have to deal with |
1567 | are browser design bugs, but it is still you who will have to deal with |
1554 | it, as major browser developers care only for features, not about getting |
1568 | it, as major browser developers care only for features, not about getting |
1555 | security right). |
1569 | security right). |
1556 | |
1570 | |
1557 | |
1571 | |
|
|
1572 | =head1 "OLD" VS. "NEW" JSON (RFC 4627 VS. RFC 7159) |
|
|
1573 | |
|
|
1574 | TL;DR: Due to security concerns, JSON::XS will not allow scalar data in |
|
|
1575 | JSON texts by default - you need to create your own JSON::XS object and |
|
|
1576 | enable C<allow_nonref>: |
|
|
1577 | |
|
|
1578 | |
|
|
1579 | my $json = JSON::XS->new->allow_nonref; |
|
|
1580 | |
|
|
1581 | $text = $json->encode ($data); |
|
|
1582 | $data = $json->decode ($text); |
|
|
1583 | |
|
|
1584 | The long version: JSON being an important and supposedly stable format, |
|
|
1585 | the IETF standardised it as RFC 4627 in 2006. Unfortunately, the inventor |
|
|
1586 | of JSON, Dougles Crockford, unilaterally changed the definition of JSON in |
|
|
1587 | javascript. Rather than create a fork, the IETF decided to standardise the |
|
|
1588 | new syntax (apparently, so Iw as told, without finding it very amusing). |
|
|
1589 | |
|
|
1590 | The biggest difference between thed original JSON and the new JSON is that |
|
|
1591 | the new JSON supports scalars (anything other than arrays and objects) at |
|
|
1592 | the toplevel of a JSON text. While this is strictly backwards compatible |
|
|
1593 | to older versions, it breaks a number of protocols that relied on sending |
|
|
1594 | JSON back-to-back, and is a minor security concern. |
|
|
1595 | |
|
|
1596 | For example, imagine you have two banks communicating, and on one side, |
|
|
1597 | trhe JSON coder gets upgraded. Two messages, such as C<10> and C<1000> |
|
|
1598 | might then be confused to mean C<101000>, something that couldn't happen |
|
|
1599 | in the original JSON, because niether of these messages would be valid |
|
|
1600 | JSON. |
|
|
1601 | |
|
|
1602 | If one side accepts these messages, then an upgrade in the coder on either |
|
|
1603 | side could result in this becoming exploitable. |
|
|
1604 | |
|
|
1605 | This module has always allowed these messages as an optional extension, by |
|
|
1606 | default disabled. The security concerns are the reason why the default is |
|
|
1607 | still disabled, but future versions might/will likely upgrade to the newer |
|
|
1608 | RFC as default format, so you are advised to check your implementation |
|
|
1609 | and/or override the default with C<< ->allow_nonref (0) >> to ensure that |
|
|
1610 | future versions are safe. |
|
|
1611 | |
|
|
1612 | |
1558 | =head1 INTEROPERABILITY WITH OTHER MODULES |
1613 | =head1 INTEROPERABILITY WITH OTHER MODULES |
1559 | |
1614 | |
1560 | C<JSON::XS> uses the L<Types::Serialiser> module to provide boolean |
1615 | C<JSON::XS> uses the L<Types::Serialiser> module to provide boolean |
1561 | constants. That means that the JSON true and false values will be |
1616 | constants. That means that the JSON true and false values will be |
1562 | comaptible to true and false values of iother modules that do the same, |
1617 | comaptible to true and false values of other modules that do the same, |
1563 | such as L<JSON::PP> and L<CBOR::XS>. |
1618 | such as L<JSON::PP> and L<CBOR::XS>. |
1564 | |
1619 | |
1565 | |
1620 | |
1566 | =head1 INTEROPERABILITY WITH OTHER JSON DECODERS |
1621 | =head1 INTEROPERABILITY WITH OTHER JSON DECODERS |
1567 | |
1622 | |
… | |
… | |
1584 | |
1639 | |
1585 | When you use C<allow_tags> to use the extended (and also nonstandard and |
1640 | When you use C<allow_tags> to use the extended (and also nonstandard and |
1586 | invalid) JSON syntax for serialised objects, and you still want to decode |
1641 | invalid) JSON syntax for serialised objects, and you still want to decode |
1587 | the generated When you want to serialise objects, you can run a regex |
1642 | the generated When you want to serialise objects, you can run a regex |
1588 | to replace the tagged syntax by standard JSON arrays (it only works for |
1643 | to replace the tagged syntax by standard JSON arrays (it only works for |
1589 | "normal" packagesnames without comma, newlines or single colons). First, |
1644 | "normal" package names without comma, newlines or single colons). First, |
1590 | the readable Perl version: |
1645 | the readable Perl version: |
1591 | |
1646 | |
1592 | # if your FREEZE methods return no values, you need this replace first: |
1647 | # if your FREEZE methods return no values, you need this replace first: |
1593 | $json =~ s/\( \s* (" (?: [^\\":,]+|\\.|::)* ") \s* \) \s* \[\s*\]/[$1]/gx; |
1648 | $json =~ s/\( \s* (" (?: [^\\":,]+|\\.|::)* ") \s* \) \s* \[\s*\]/[$1]/gx; |
1594 | |
1649 | |
… | |
… | |
1612 | |
1667 | |
1613 | And after decoding the JSON text, you could walk the data |
1668 | And after decoding the JSON text, you could walk the data |
1614 | structure looking for arrays with a first element of |
1669 | structure looking for arrays with a first element of |
1615 | C<XU1peReLzT4ggEllLanBYq4G9VzliwKF>. |
1670 | C<XU1peReLzT4ggEllLanBYq4G9VzliwKF>. |
1616 | |
1671 | |
1617 | The same approach cna be used to create the tagged format with another |
1672 | The same approach can be used to create the tagged format with another |
1618 | encoder. First, you create an array with the magic string as first member, |
1673 | encoder. First, you create an array with the magic string as first member, |
1619 | the classname as second, and constructor arguments last, encode it as part |
1674 | the classname as second, and constructor arguments last, encode it as part |
1620 | of your JSON structure, and then: |
1675 | of your JSON structure, and then: |
1621 | |
1676 | |
1622 | $json =~ s/\[\s*"XU1peReLzT4ggEllLanBYq4G9VzliwKF"\s*,\s*("([^\\":,]+|\\.|::)*")\s*,/($1)[/g; |
1677 | $json =~ s/\[\s*"XU1peReLzT4ggEllLanBYq4G9VzliwKF"\s*,\s*("([^\\":,]+|\\.|::)*")\s*,/($1)[/g; |
1623 | |
1678 | |
1624 | Again, this has some limitations - the magic string must not be encoded |
1679 | Again, this has some limitations - the magic string must not be encoded |
1625 | with character escapes, and the constructor arguments must be non-empty. |
1680 | with character escapes, and the constructor arguments must be non-empty. |
1626 | |
1681 | |
1627 | |
1682 | |
1628 | =head1 RFC7158 |
1683 | =head1 RFC7159 |
1629 | |
1684 | |
1630 | Since this module was written, Google has written a new JSON RFC, RFC |
1685 | Since this module was written, Google has written a new JSON RFC, RFC 7159 |
1631 | 7158. Unfortunately, this RFC breaks compatibility with both the original |
1686 | (and RFC7158). Unfortunately, this RFC breaks compatibility with both the |
1632 | JSON specification on www.json.org and RFC4627. |
1687 | original JSON specification on www.json.org and RFC4627. |
1633 | |
1688 | |
1634 | As far as I can see, you can get partial compatibility when parsing by |
1689 | As far as I can see, you can get partial compatibility when parsing by |
1635 | using C<< ->allow_nonref >>. However, consider thew security implications |
1690 | using C<< ->allow_nonref >>. However, consider the security implications |
1636 | of doing so. |
1691 | of doing so. |
1637 | |
1692 | |
1638 | I haven't decided yet whether to break compatibility with RFC4627 by |
1693 | I haven't decided yet when to break compatibility with RFC4627 by default |
1639 | default (and potentially leave applications insecure), or change the |
1694 | (and potentially leave applications insecure) and change the default to |
1640 | default to follow RFC7158. |
1695 | follow RFC7159, but application authors are well advised to call C<< |
|
|
1696 | ->allow_nonref(0) >> even if this is the current default, if they cannot |
|
|
1697 | handle non-reference values, in preparation for the day when the default |
|
|
1698 | will change. |
1641 | |
1699 | |
1642 | |
1700 | |
1643 | =head1 THREADS |
1701 | =head1 (I-)THREADS |
1644 | |
1702 | |
1645 | This module is I<not> guaranteed to be thread safe and there are no |
1703 | This module is I<not> guaranteed to be ithread (or MULTIPLICITY-) safe |
1646 | plans to change this until Perl gets thread support (as opposed to the |
1704 | and there are no plans to change this. Note that perl's builtin so-called |
1647 | horribly slow so-called "threads" which are simply slow and bloated |
1705 | theeads/ithreads are officially deprecated and should not be used. |
1648 | process simulations - use fork, it's I<much> faster, cheaper, better). |
|
|
1649 | |
|
|
1650 | (It might actually work, but you have been warned). |
|
|
1651 | |
1706 | |
1652 | |
1707 | |
1653 | =head1 THE PERILS OF SETLOCALE |
1708 | =head1 THE PERILS OF SETLOCALE |
1654 | |
1709 | |
1655 | Sometimes people avoid the Perl locale support and directly call the |
1710 | Sometimes people avoid the Perl locale support and directly call the |