[langsec-discuss] XML DIGSIG langsec problems
daira at jacaranda.org
Mon Aug 31 12:29:10 UTC 2015
On 29/08/15 03:56, Nils Dagsson Moskopp wrote:
Indeed. The following exchange with Doug Crockford may be relevant.
I wrote to Doug on 6 April 2008:
> I am planning to submit this as an erratum to the JSON RFC -- do you have
> any objection, or suggested changes? Is there any place (mailing list, etc.)
> I should discuss it first?
> Type: Technical
> Section: 2.5
> Original text:
> unescaped = %x20-21 / %x23-5B / %x5D-10FFFF
> Corrected text:
> unescaped = %x20-21 / %x23-5B / %x5D-2027 / %x202A-10FFFF
> JSON is intended to be a subset of ECMAScript as defined by ECMA-262 3rd
> edition. Section 7.3 of that standard specifies that the code point values
> (or more precisely, UTF-16 code units) %x2028 or %x2029, which correspond
> to newline characters, cannot occur unescaped in a string literal.
> So, in order for JSON producers to produce output that is guaranteed
> JSON parsers such as that given in section 6 of the RFC, it is necessary
> to escape these code points when they occur in a JSON string.
> This change to the definition of 'unescaped' does not imply that a JSON
> parser must reject code points %x2028 or %x2029 appearing unescaped in
> a string, since (from section 4 of the RFC) "A JSON parser MAY accept
> non-JSON forms or extensions."
> I do object to this. The ECMAScript standard will be corrected to repair
> the 2028/2029 problem.
> Fair enough, I wasn't aware of that. I don't see it anywhere at
> for instance. Is there a more up-to-date specification that includes this
> fix, or is it not documented yet?
> I was discussed at the last meeting, but it may not have gotten into the
> public documents yet.
On 27 May 2008 I made a final attempt to point out the inconsistency, to
no avail; this never actually got fixed in either ECMAScript 5 or JSON.
I should have submitted the RFC erratum despite Doug's objection.
Sorry about that.
Daira Hopwood ⚥
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: OpenPGP digital signature
More information about the langsec-discuss