[langsec-discuss] XML DIGSIG langsec problems

Daira Hopwood daira at jacaranda.org
Mon Aug 31 12:29:10 UTC 2015

On 29/08/15 03:56, Nils Dagsson Moskopp wrote:
> JSON is not a JavaScript subset. The U+2028 and U+2029 line terminators
> are allowed in a JSON string, but are not allowed in JavaScript strings.

Indeed. The following exchange with Doug Crockford may be relevant.

I wrote to Doug on 6 April 2008:
> I am planning to submit this as an erratum to the JSON RFC -- do you have
> any objection, or suggested changes? Is there any place (mailing list, etc.)
> I should discuss it first?
> Type: Technical
> Section: 2.5
> Original text:
>       unescaped = %x20-21 / %x23-5B / %x5D-10FFFF
> Corrected text:
>       unescaped = %x20-21 / %x23-5B / %x5D-2027 / %x202A-10FFFF
> Notes:
> JSON is intended to be a subset of ECMAScript as defined by ECMA-262 3rd
> edition. Section 7.3 of that standard specifies that the code point values
> (or more precisely, UTF-16 code units) %x2028 or %x2029, which correspond
> to newline characters, cannot occur unescaped in a string literal.
> So, in order for JSON producers to produce output that is guaranteed
> to be accepted as Javascript or ECMAScript, and therefore by eval-based
> JSON parsers such as that given in section 6 of the RFC, it is necessary
> to escape these code points when they occur in a JSON string.
> This change to the definition of 'unescaped' does not imply that a JSON
> parser must reject code points %x2028 or %x2029 appearing unescaped in
> a string, since (from section 4 of the RFC) "A JSON parser MAY accept
> non-JSON forms or extensions." 

Doug answered:

> I do object to this. The ECMAScript standard will be corrected to repair
> the 2028/2029 problem.

I wrote:

> Fair enough, I wasn't aware of that. I don't see it anywhere at
> <http://wiki.ecmascript.org/doku.php?id=es3.1:es3.1_proposal_working_draft>,
> for instance. Is there a more up-to-date specification that includes this
> fix, or is it not documented yet? 

Doug responded:

> I was discussed at the last meeting, but it may not have gotten into the
> public documents yet.

On 27 May 2008 I made a final attempt to point out the inconsistency, to
no avail; this never actually got fixed in either ECMAScript 5 or JSON.
I should have submitted the RFC erratum despite Doug's objection.
Sorry about that.

Daira Hopwood ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20150831/77f4541d/attachment.sig>

More information about the langsec-discuss mailing list