Agreed, I thought the JSON criticism was a bit of stretch. It's hilarious
that json.org, *created by Douglas Crockford*, mentions using eval() as a
JSON parser, though.
Best,
Eric
On Thu, Dec 17, 2015 at 8:42 PM, Brian Hoffman <[log in to unmask]>
wrote:
> Thanks, this was interesting. But the JSON segment is a little less than
> terrifying as it’s predicated on the misuse of eval(), which is commonly
> and easily avoided.
>
>
> > On Dec 17, 2015, at 11:00 PM, CODE4LIB automatic digest system <
> [log in to unmask]> wrote:
> >
> >
> > Date: Thu, 17 Dec 2015 09:22:07 -0500
> > From: Andromeda Yelton <[log in to unmask] <mailto:
> [log in to unmask]>>
> > Subject: yaml/xml/json, POST data, bloodcurdling terror
> >
> > I strongly recommend this hilarious, terrifying PyCon talk about
> > vulnerabilities in yaml, xml, and json processing:
> > https://www.youtube.com/watch?v=kjZHjvrAS74 <
> https://www.youtube.com/watch?v=kjZHjvrAS74>
> >
> > If you process user-submitted data in these formats and don't yet know
> why
> > you should be flatly terrified, please watch this ASAP; it's
> illuminating.
> > If you *do* know why you should be terrified, watch it anyway and giggle
> > along in knowing recognition, because the talk is really very funny.
> >
> > --
> > Andromeda Yelton
> > Board of Directors, Library & Information Technology Association:
> > http://www.lita.org <http://www.lita.org/>
> > http://andromedayelton.com <http://andromedayelton.com/>
> > @ThatAndromeda <http://twitter.com/ThatAndromeda <
> http://twitter.com/ThatAndromeda>>
>
|