 |
 |
It doesn't help that plenty of tutorials, like W3Schools, mention eval() without any qualifications about the security risks. Kate Deibel, PhD | Web Applications Specialist Information Technology Services University of Washington Libraries http://staff.washington.edu/deibel -- "When Thor shows up, it's always deus ex machina." On 12/18/2015 9:48 AM, Eric Phetteplace wrote: > Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious > that json.org, *created by Douglas Crockford*, mentions using eval() as a > JSON parser, though. > > Best, > Eric > > On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman <[log in to unmask]> > wrote: > >> Thanks, this was interesting. But the JSON segment is a little less than >> terrifying as it’s predicated on the misuse of eval(), which is commonly >> and easily avoided. >> >> >>> On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system < >> [log in to unmask]> wrote: >>> >>> >>> Date: Thu, 17 Dec 2015 09:22:07 -0500 >>> From: Andromeda Yelton <[log in to unmask] <mailto: >> [log in to unmask]>> >>> Subject: yaml/xml/json, POST data, bloodcurdling terror >>> >>> I strongly recommend this hilarious, terrifying PyCon talk about >>> vulnerabilities in yaml, xml, and json processing: >>> https://www.youtube.com/watch?v=kjZHjvrAS74 < >> https://www.youtube.com/watch?v=kjZHjvrAS74> >>> >>> If you process user-submitted data in these formats and don't yet know >> why >>> you should be flatly terrified, please watch this ASAP; it's >> illuminating. >>> If you *do* know why you should be terrified, watch it anyway and giggle >>> along in knowing recognition, because the talk is really very funny. >>> >>> -- >>> Andromeda Yelton >>> Board of Directors, Library & Information Technology Association: >>> http://www.lita.org <http://www.lita.org/> >>> http://andromedayelton.com <http://andromedayelton.com/> >>> @ThatAndromeda <http://twitter.com/ThatAndromeda < >> http://twitter.com/ThatAndromeda>> >>