Json

Due to its conciseness compared to XML , the JSON format may be more suitable for serializing complex structures. If we talk about web applications, in this way it is appropriate in the tasks of data exchange both between the browser and the server ( AJAX ), and between the servers themselves ( HTTP software connections).

Since the JSON format is a subset of the syntax of the JavaScript language, it can be quickly deserialized by the built-in function eval() . In addition, it is possible to insert fully functional JavaScript functions. In PHP , starting with version 5.2.0, JSON support is included in the kernel in the form of json_decode () and json_encode () functions, which themselves convert JSON data types to the corresponding PHP types and vice versa.

JSON text is (in encoded form) one of two structures:

• A set of key: value pairs. In various languages, this is implemented as a record , structure , dictionary , hash table , list with key, or associative array . The key can only be a string (case-sensitive: names with letters in different registers are considered different ^[4] ), the value is any form.
• An ordered set of values . In many languages, this is implemented as an array , vector , list, or sequence .

These are universal data structures: as a rule, any modern programming language supports them in one form or another. They formed the basis of JSON, as it is used to exchange data between different programming languages.

As values ​​in JSON can be used:

• A record is an unordered set of key pairs: a value enclosed in braces “{}” . The key is described by a string , between it and the value is the symbol “:” . Key-value pairs are separated by commas.
• An array (one-dimensional) is an ordered set of values . The array is enclosed in square brackets “[]” . Values ​​are separated by commas. The array may be empty, i.e. Do not contain any values.
• Number (integer or real).
• The literals true ( boolean true), false ( boolean false), and null .
• A string is an ordered set of zero or more Unicode characters, enclosed in double quotes. Characters can be specified using escape sequences starting with the backslash “\” (options \ ', \ ", \\, \ /, \ t, \ n, \ r, \ f and \ b are supported), or written in Unicode encoded hexadecimal code as \ uFFFF.

The string is very similar to the Javascript data type of the same name. The number is also very similar to a Javascript number, except that only the decimal format is used (with a period as a separator). Spaces can be inserted between any two syntax elements.

The following example shows a JSON representation of data about an object that describes a person. The data has string fields of the name and surname, information describing the address, and an array containing a list of phones. As you can see from the example, a value can be a nested structure.

  {
    "firstName" : "Ivan" ,
    "lastName" : "Ivanov" ,
    "address" : {
        "streetAddress" : "Moscow highway 101, apt. 101" ,
        "city" : "Leningrad" ,
        "postalCode" : "101101"
    },
    "phoneNumbers" : [
        "812 123-1234" ,
        "916 123-4567"
    ]
 }

Note the postalCode pair: 101101. As values ​​in JSON, both a number and a string can be used. Therefore, the entry "postalCode": "101101" contains a string, and "postalCode": 101101 is already a numeric value. Given the uncertainty of the type of variables in JS (only value types are defined), in the future, as a rule, there are no problems with type conversion. But if the data in JSON format is processed in a different environment than JS, then you need to be careful.

In XML, a similar structure would look something like this:

  <person>
   <firstName> Ivan </firstName>
   <lastName> Ivanov </lastName>
   <address>
     <streetAddress> Moscow highway 101, apt. 101 </streetAddress>
     <city> Leningrad </city>
     <postalCode> 101101 </postalCode>
   </address>
   <phoneNumbers>
     <phoneNumber> 812 123-1234 </phoneNumber>
     <phoneNumber> 916 123-4567 </phoneNumber>
   </phoneNumbers>
 </person>

or so:

  <person firstName = "Ivan" lastName = "Ivanov" >
   <address streetAddress = "Moscow sh., 101, apt. 101" city ​​= "Leningrad" postalCode = "101101" />
   <phoneNumbers>
     <phoneNumber> 812 123-1234 </phoneNumber>
     <phoneNumber> 916 123-4567 </phoneNumber>
   </phoneNumbers>
 </person>

JSON5 is the proposed extension of the json format in accordance with ECMAScript 5 syntax, caused by the fact that json is used not only for communication between programs, but is also created / edited manually ^[5] . The JSON5 file is always the correct ECMAScript 5 code. JSON5 is backward compatible with JSON. For some programming languages, json5 parsers already exist ^[6] .

Some innovations:

• Both single-line // and multi-line /* */ comments are supported.
• Entries and lists may have a comma after the last item (useful when copying items).
• Record keys can be without quotes if they are valid ECMAScript 5 identifiers.
• Strings can be enclosed in single or double quotes.
• Numbers can be in hexadecimal, begin or end with a decimal point, include Infinity, -Infinity, NaN and -NaN, begin with a +.

Both functionally and syntactically, JSON is a subset of the YAML language. In particular, the YAML 1.2 specification indicates that “any file in the JSON format is a valid file in the YAML format” ^[7] . The most common YAML parser is capable of handling JSON as well ^[8] . The YAML specification prior to version 1.2 did not fully cover JSON, primarily due to the lack of native UTF-32 support in YAML, as well as the requirement of a space after the comma separator; in addition, the JSON specification included comments in the style of / * * /.

The most important difference between YAML is a set of syntax extensions that have no analogues in JSON:

• support for relational data: in a YAML document, you can refer to an anchor that was previously found in a file / stream; in this way recursive structures can be expressed.
• Support for extensible data types in addition to primitives : strings, numbers, booleans, etc.
• indented block syntax support; it allows you to describe structured data without the use of extra characters: all kinds of brackets, quotation marks, etc.

JSON Schema is one of the languages ​​for describing the structure of a JSON document. Uses JSON syntax. Based on the concepts of XML Schema , RelaxNG , Kwalify . JSON Schema is a self-descriptive language: when used to process data and describe its validity, the same serialization / deserialization tools can be used ^[9] .

The JSON standard does not support object references , but the desired result can be achieved using additional conventions. The W3C recommendation for related data is JSON-LD , which uses the RDF data model. In JSON-LD, a context is added to the data, linking the properties of objects in the JSON document with ontology elements ^[10] .

The following Javascript code example shows how the browser can use XMLHttpRequest to request an object in JSON format from the server (the server part of the program is omitted; it must contain code that sends data in the format of a JSON string in response to requests by url ).

  var http_request = new XMLHttpRequest ();
 http_request .  onreadystatechange = function () {
     if ( http_request . readyState ! == 4 )
         return
        
     if ( http_request . status ! == 200 )
         throw new Error ( 'request was defeated' )
        
     do_something_with_object ( JSON . parse ( http_request . responseText ));
     http_request = null ;
 };
 http_request .  open ( "GET" , url , true );
 http_request .  send ( null );

Note that this XMLHttpRequest application example does not support Internet Explorer up to version 6 inclusive, so you should use slightly different code for them. The possibilities for using XMLHttpRequest are limited due to the same origin policy: the request response URL must be in the same DNS domain as the server on which the page requesting the response is located. As an alternative, the JSONP approach is used, which includes the use of an encoded function call passed between the client and the server so that the client can load JSON encoded data from third-party domains and notify the caller of completion, although this leads to some security risks and additional server requirements.

Alternatively, you can use <iframe> elements in the page code to asynchronously request JSON data, or simply <form action="url_to_cgi_script"> . These approaches were common until extensive support for XMLHttpRequest appeared.

You can also use dynamic <script> tags to transmit JSON data. Using this method, you can bypass the same origin policy, but it leads to vulnerable code. As a safer alternative, it was suggested to use JSONRequest .

Although JSON is designed to transmit data in serialized form, its syntax is consistent with JavaScript syntax and this creates a number of security problems. Often, to process data received from an external source in JSON format, the eval() function is applied to them without any preliminary verification.

JavaScript eval()

Since JSON seems to be a syntactically correct piece of JavaScript code, the easiest way to parse JSON data in a JavaScript program is to use the JavaScript built-in eval() function, which is designed to execute JavaScript expressions. With this approach, there is no need to use additional parsers.

The use of eval() makes the system vulnerable if the source of the JSON data used is not trusted . Such data may be malicious JavaScript code for attacks of the class Code injection . Using this vulnerability, it is possible to steal data and fake authentication. Nevertheless, the vulnerability can be eliminated through the use of additional means of checking data for correctness. For example, before performing eval() data received from an external source can be checked using regular expressions . In the RFC defining JSON ^[11] , it is proposed to use the following code to verify its compliance with the JSON format

  var my_JSON_object = !  (/ ►^,:{►\\\\ 0-9.\-+Eaeflnr-u \ n \ r \ t] / . Test (
 text .  replace ( /"(\\.|[^"\\\))""/g , '' ))) &&
 eval ( '(' + text + ')' );

As a safer alternative to eval() , a new JSON.parse () function has been proposed that can only process JSON data. It was introduced in the fourth version of the ECMAScript standard and is described in the article “JSON: Fat-Free Alternative to XML” ^[12] . It is currently available as a JavaScript library ^[13] and has been included in the fifth edition of ECMAScript.

Embedded JSON

Recent versions of web browsers have built-in JSON support and are able to handle it without calling the eval() function, which leads to the security problem described above. JSON processing in this case is usually faster. So in June 2009, the following browsers had native JSON support:

• Mozilla Firefox 3.5+ ^[14]
• Microsoft Internet Explorer 8 ^[15]
• Opera 10.5 + ^[16]
• WebKit- based browsers (such as Google Chrome and Apple Safari ) ^[17]

At least five popular JavaScript libraries use embedded JSON, if available:

• jQuery ^{[18] [19]}
• Dojo ^[20]
• MooTools ^[21]
• Yahoo! UI Library ^[22]
• Prototype ^[23]

Cross Domain Request Forgery

The ill-considered use of JSON makes sites vulnerable to cross-site request forgery (CSRF or XSRF) ^[24] . Since the <script> allows the use of a source that does not belong to the same domain as the one using the resource, this allows code to be executed under the guise of data presented in JSON format in the context of an arbitrary page, which makes it possible to compromise passwords or other confidential user information, logged in to another site.

This seems to be a problem only if the JSON data contains confidential information that can be compromised by a third party and if the server relies on a single source policy , blocking access to data when an external request is detected. This is not a problem if the server determines the validity of the request, providing data only if it is correct. HTTP cookies cannot be used to determine this. The exclusive use of HTTP cookies is used by fake cross-site requests .

JSONP ( Eng. JSON Padding - “JSON padded”) is a JSON extension when the name of a callback function is specified as an input argument.

The technology is based on the fact that the browser security policy does not prohibit the use of the <script type="text/javascript" src="…"></script> to access servers other than the server from which the page was loaded.

Without using JSONP technology (that is, using just JSON data encoding), the server can only return data. For example, like this:

  { "paper" : "A4" , "count" : 5 }

However, this is only data, and it cannot affect the browser.

Using the JSONP technique, the name of the callback function is passed to the third-party server in the call line (GET):

  <script type = "text / javascript" src = "http://example.com/getjson?jsonp=parseResponse"> </script> 

Here, the jsonp parameter contains the callback name of the parseResponse function.

Now the third-party server example.com can return the following code:

  parseResponse ({ "paper" : "A4" , "count" : 5 })

Now the code calls the javascript function of the first domain.

The idea was originally proposed on the MacPython blog in 2005 ^[25] and is currently used by many Web 2.0 applications, such as Dojo Toolkit Applications, Google Toolkit Applications [ https://www.webcitation.org/6Djo88laj?url=http: //www.gwtapps.com/?p=42%5d and zanox Web Services. Further extensions of this protocol were proposed taking into account the introduction of additional arguments, as, for example, in the case of JSONPP ^[26] with the support of S3DB web services.

Because JSONP uses script tags, calls are essentially open to the world. For this reason, JSONP may not be appropriate for storing sensitive data ^[27] .

The inclusion of script tags from remote sites allows them to transfer any content on the site. If a remote site has vulnerabilities that allow Javascript injections, then the source site may also be affected by them.

JSONPP ( English parameterized JSON with padding - "parameterized JSON with a pad") - development of the idea of ​​JSONP.

JSONPP includes the source URL, the name of the function that will process the JSON data, the line for eval after receiving the data, and the line for eval after the data has been processed:

  JSON_call ( SRC , JSONP , JSONPP , ONLOAD );

eventually turns around

  ans = JSONP ( SRC )
 {
     eval ( JSONPP ( ans ));
     eval ( ONLOAD );
 }

In general, for the JSONPP idea itself, the number of parameters does not matter. Enough SRC, JSONP, JSONPP (and their processing on the server side, and then the client) for it to be JSONPP.

Let's look at an example of working with the S3DB service.

  function s3db_jsonpp_call ( src , next_eval ) {
	 var call = "call_" + Math .  random ().  toString ().  replace ( /\./g , "" );
	 var headID = document .  getElementsByTagName ( "head" ) [ 0 ];
	 var script = document .  createElement ( 'script' );
	 script .  id = call ;
	 script .  type = 'text / javascript' ;
	 // using padded, parameterized json
	 src = src + "& format = json & jsonp = s3db_jsonpp & jsonpp =" + next_eval + "& onload = remove_element_by_id ('" + script . id + "')" ;
	 script .  src = src ;
	 headID .  appendChild ( script );  // retrieve answer
 }
 function s3db_jsonpp ( ans , jsonpp ) {
	 eval ( jsonpp );
	 return ans ;
 }
 function remove_element_by_id ( id ) {
	 var e = document .  getElementById ( id );
	 e .  parentNode .  removeChild ( e );
	 return false ;
 }

In the example, the s3db_jsonpp_call() function creates a script element in the DOM in the head part, whose src corresponds to a JSONPP call.

After receiving a response from the server, s3db_jsonpp() will be called - it is passed in the call parameters, as it should be according to the JSONP rules.

Inside s3db_jsonpp() eval(jsonpp) s3db_jsonpp() will eval(jsonpp) and ans will return.

Calling eval (onload) leads to remove_element_by_id() with the id of the created script in head and, as a result, to its removal, because it will not be used anyway, since the id in the example was randomly generated at the very beginning of the s3db_jsonpp_call() function. This call is in the server response.

Binary JSON extension implemented in PostgreSQL DBMS in version 9.4.18. In fact, JSONB is a binary representation of JSON ^[28] , with the difference that spaces are removed in stored lines, sorting of objects is not preserved, and only the last value for duplicate keys is stored ^[29] .

• BSON
• Yaml
• JSON-LD
• JSONP

• Официальная домашняя страница формата на русском языке
• json.js , json2.js — библиотека, разработанная Дугласом Крокфордом, для работы с данными JSON в JavaScript. Расширяет объект Object методом toJSONString, который затем присутствует в любом объекте, и осуществляет его преобразование в строку формата JSON.
• json-rpc.org (англ.)
• Глава о JSON из онлайн учебника JavaScript (рус.)
• JSON-форматировщик (англ.)
• JSON-просмотрщик (англ.)
• JSON-валидатор (англ.)