I don't know of any data which would support any claims about how JSON is used. I assume only that it's used in lots of creative ways, some of which are mentioned in other messages in this thread.
When you say if V8 is theoretically used for server-side web applications, I immediately think of all the traffic on this list which implies that is already the case. I also know of several related projects, including mine (which I really wish I had more time to work on). Pete Gontier <http://pete.gontier.org/> On Oct 8, 2008, at 11:16 PM, Simon Ask Ulsnes wrote: > > That is a very good point. The cases when JSON is accepted from > untrusted parties are rare, though, but theoretically possible (most > cases I'm assuming is a webserver returning JSON from an AJAX call, > where no third party is involved). If V8 is theoretically used for > writing server-side web applications, I guess there would be a need > for a way to avoid this type of injection attacks (similar to how > current frameworks avoid SQL injection attacks from untrusted input). > > - Simon > > 2008/10/9 Pete Gontier <[EMAIL PROTECTED]>: >> In many situations, it's perfectly reasonably to pass JSON data to >> 'eval' >> (or V8). However, if one accepts JSON from untrusted parties, one >> must >> assume what is ostensibly JSON might actually be malicious >> JavaScript. The >> "whole point of JSON" is really to be a compact/portable data >> format; the >> fact that it has syntax and semantics which are a precise subset of >> JavaScript is merely convenient. >> >> Pete Gontier <http://pete.gontier.org/> >> >> >> On Oct 8, 2008, at 10:47 AM, Simon Ask Ulsnes wrote: >> >> Excuse me? >> >> The whole point of JSON is to be representing objects in valid >> JavaScript syntax. If parsing JSON using V8's internal parser is too >> slow for you, then it doesn't really make sense to use V8 at all. ;-) >> >> Besides, my example generates JSON. Ragel can only be used to parse >> it. >> I'm not doubting that Ragel is an excellent state machine compiler, >> but you're already using one compiler for your code, why not use the >> same for your data, when you even have the luxury that your code and >> your data is in the same format? >> >> - Simon >> >> 2008/10/8 <[EMAIL PROTECTED]>: >> >> >> >> On Sep 10, 3:04 pm, "Simon Ask Ulsnes" <[EMAIL PROTECTED]> wrote: >> >> It's not that hard to add, though. >> >> I did something like this: >> >> ... >> >> Rather than hacking some basic JSON support into V8 or your V8 >> >> application, I recommend that it be done the pro' way, using Ragel: >> >> http://www.complang.org/ragel/ >> >> Ragel's compiled state machines are blindingly fast, and hence so are >> >> the implementations of JSON of languages that use it: >> >> http://json.rubyforge.org/ >> >> http://modules.gotpike.org/module_info.html?module_id=43 >> >> I did some elementary benchmarking of JSON implementations a while >> >> back, and JSON in Ragel was in a class of its own. :-) >> >> Slowing down V8's lightning speed with a poor JSON would be so >> >> sad. ;-) >> >> Morgaine. >> >> >> >> >> >> >> >>> >> > > > --~--~---------~--~----~------------~-------~--~----~ v8-users mailing list [email protected] http://groups.google.com/group/v8-users -~----------~----~----~----~------~----~------~--~---
