The Full Wiki

JSON: Wikis
  

Encyclopedia

Updated live from Wikipedia, last check: June 03, 2012 18:22 UTC (47 seconds ago)

From Wikipedia, the free encyclopedia

JSON
Filename extension .json
Internet media type application/json
Type of format Data interchange
Extended from JavaScript
Standard(s) RFC 4627
Website http://json.org
.JSON, short for JavaScript Object Notation, is a lightweight computer data interchange format.^ JSON stands for Javascript Object Notation and, as the name implies, is itself Javascript.
  • Apache CXF -- JSON Support 2 February 2010 8:19 UTC cwiki.apache.org [Source type: FILTERED WITH BAYES]

 ^ The JavaScript Object Notation (JSON) is a core feature of the language [JavaScript].
  • JSON 2 February 2010 8:19 UTC james.padolsey.com [Source type: General]
  • JSON is not the same as JSON – James Padolsey 2 February 2010 8:19 UTC james.padolsey.com [Source type: General]

 ^ Debate: JSON vs. XML as a data interchange format .
  • InfoQ: Debate: JSON vs. XML as a data interchange format 2 February 2010 8:19 UTC www.infoq.com [Source type: General]

 .It is a text-based, human-readable format for representing simple data structures and associative arrays (called objects).^ Formatting - The data is returned as text.
  • Inverted Software - Custom Web And Desktop Applications - JSON Your AJAX By Gal Ratner 2 February 2010 8:19 UTC www.invertedsoftware.com [Source type: General]

 ^ Introduction JavaScript Object Notation (JSON) is a text format for the serialization of structured data.
  • RFC 4627 - The application/json Media Type for JavaScript Object Notation (JSON) 2 February 2010 8:19 UTC tools.ietf.org [Source type: Reference]

 ^ JSON is based on the JavaScript format for arrays and objects.
  • JSON For Data Exchange (Updated) 2 February 2010 8:19 UTC www.lassosoft.com [Source type: Reference]
.The JSON format was originally specified in RFC 4627 by Douglas Crockford.^ RFC 4627 application/json .
  • JSON 2 February 2010 8:19 UTC json.org [Source type: Reference]

 ^ The following built-in functions facilitate handling JSON data, as specified in Douglas Crockford's RFC 4627 .
  • proposals:json_encoding_and_decoding [ES Wiki] 2 February 2010 8:19 UTC wiki.ecmascript.org [Source type: FILTERED WITH BAYES]
  • proposals:json_encoding_and_decoding [ES Wiki] 2 February 2010 8:19 UTC wiki.ecmascript.org [Source type: FILTERED WITH BAYES]

 ^ Crockford Informational [Page 5] RFC 4627 JSON July 2006 5 .
  • RFC 4627 - The application/json Media Type for JavaScript Object Notation (JSON) 2 February 2010 8:19 UTC tools.ietf.org [Source type: Reference]

 .The official Internet media type for JSON is application/json.^ The official Internet media type for JSON is application/json.

 ^ MIME Media Type application/json JSON in Ajax HTML Delivery.

 ^ The Internet Media Type / MIME Type for the SPARQL Query Results JSON Format is "application/sparql-results+json".
  • Serializing SPARQL Query Results in JSON 2 February 2010 8:19 UTC www.w3.org [Source type: Reference]

 The JSON filename extension is .json.
.The JSON format is often used for serialization and transmitting structured data over a network connection.^ Why JSON data structures are good for you when using AJAX .
  • Json | {Programming} & Life 2 February 2010 8:19 UTC goneale.com [Source type: General]

 ^ Introduction JavaScript Object Notation (JSON) is a text format for the serialization of structured data.
  • RFC 4627 - The application/json Media Type for JavaScript Object Notation (JSON) 2 February 2010 8:19 UTC tools.ietf.org [Source type: Reference]

 ^ Convert data to JSON format.
  • Using JSON to Exchange Data | BetterExplained 2 February 2010 8:19 UTC betterexplained.com [Source type: General]

 .Its main application is in Ajax web application programming, where it serves as an alternative to the XML format.^ Unlike any other XML editor, XMLSpy supports both JSON and XML, giving you an easy way to work with JSON in the same environment where you're developing XML, AJAX, and Web services applications.
  • JSON Editor 2 February 2010 8:19 UTC www.altova.com [Source type: Reference]

 ^ JSON finds its main application in Ajax web application programming, as a simple alternative to using XML for asynchronously transmitting structured information between client and server.

 ^ You have always used the Asynchronous JavaScript and XML (AJAX) to allow a web application to send asynchronous requests from the client browser to the server to retrieve some data and then let the client browser running your application receive a server response again in an asynchronous fashion.
  • Introducing JSON: ASP Alliance 2 February 2010 8:19 UTC aspalliance.com [Source type: FILTERED WITH BAYES]

Contents

History

.Although JSON was based on a subset of the JavaScript programming language (specifically, Standard ECMA-262 3rd Edition—December 1999[1]) and is commonly used with that language, it is considered to be a language-independent data format.^ JavaScript developers know that JSON is a subset of JavaScript.
  • Speed Up Your AJAX-based Apps with JSON 2 February 2010 8:19 UTC www.devx.com [Source type: General]

 ^ Since JSON is a subset of JavaScript, it can be used in the language with no muss or fuss.
  • JSON in JavaScript 2 February 2010 8:19 UTC www.json.org [Source type: FILTERED WITH BAYES]

 ^ JSON (JavaScript Object Notation) is a lightweight data-interchange format.
  • JSON Tools for .NET 2 February 2010 8:19 UTC jsontools.codeplex.com [Source type: FILTERED WITH BAYES]
  • PHP, JSON and JavaScript in Web2.0 Applications 2 February 2010 8:19 UTC www.php-editors.com [Source type: General]

 .Code for parsing and generating JSON data is readily available for a large variety of programming languages.^ The above code generates the JSON data exactly as above.

 ^ JSON parsing for large data is slow because character-by-character parsing of everything.
  • Improving speed of JSON data parsing 2 February 2010 8:19 UTC cookbooks.adobe.com [Source type: FILTERED WITH BAYES]

 ^ By structuring a data payload as a JSON response, you are effectively bypassing the need to parse an XML document in a browser typically done via JavaScript of course to get to the actual data.

 .The json.org website provides a comprehensive listing of existing JSON bindings, organized by language.^ JsonML (JSON Markup Language) JsonML.org .
  • JsonML (JSON Markup Language) 2 February 2010 8:19 UTC jsonml.org [Source type: Reference]

 ^ While decoding, default concrete class of java.util.List is org.json.simple.JSONArray and default concrete class of java.util.Map is org.json.simple.JSONObject.
  • json-simple - Project Hosting on Google Code 2 February 2010 8:19 UTC code.google.com [Source type: FILTERED WITH BAYES]

 ^ JSON is an offshoot of JavaScript that binds to most modern languages.
  • Enterprise .NET Community: JSON Resource Guide 2 February 2010 8:19 UTC www.theserverside.net [Source type: Academic]
In December 2005, Yahoo! began offering some of its web services optionally in JSON.[2] Google started offering JSON feeds for its GData web protocol in December 2006.[3]

Data types, syntax and example

JSON's basic types are:
.The following example shows the JSON representation of an object that describes a person.^ Parameters: o - object Returns: JSON representation .

 ^ Shapes and the JSON representation is as follows.
  • Stand-Alone JSON Serialization 2 February 2010 8:19 UTC msdn.microsoft.com [Source type: Reference]

 ^ For example, consider the following JSON document: .
  • On JSON : Brain.Save() 2 February 2010 8:19 UTC hyperthink.net [Source type: FILTERED WITH BAYES]

 .The object has string fields for first name and last name, contains an object representing the person's address, and contains a list (an array) of phone number objects.^ Array literals can contain object literals: .

 ^ A String containing the name of the procedure to be invoked.
  • JSON-RPC 2.0 - JSON-RPC | Google Groups 2 February 2010 8:19 UTC groups.google.com [Source type: Reference]

 ^ IDs is an array, containing number values.
  • Using JSON with Yahoo! Web Services - YDN 2 February 2010 8:19 UTC developer.yahoo.com [Source type: Reference]

 
{
     "firstName": "John",
     "lastName": "Smith",
     "age": 25,
     "address": {
         "streetAddress": "21 2nd Street",
         "city": "New York",
         "state": "NY",
         "postalCode": "10021"
     },
     "phoneNumber": [
         { "type": "home", "number": "212 555-1234" },
         { "type": "fax", "number": "646 555-4567" }
     ],
     "newSubscription": false,
     "companyName": null
 }
A possible equivalent for the above in XML could be:
<Person>
  <firstName>John</firstName>
  <lastName>Smith</lastName>
  <age>25</age>
  <address>
    <streetAddress>21 2nd Street</streetAddress>
    <city>New York</city>
    <state>NY</state>
    <postalCode>10021</postalCode>
  </address>
  <phoneNumber type="home">212 555-1234</phoneNumber>
  <phoneNumber type="fax">646 555-4567</phoneNumber>
  <newSubscription>false</newSubscription>
  <companyName />
</Person>
.Per the RFC, the MIME type to be used when transferring a JSON file using HTTP is application/json.^ MIME Media Type application/json JSON in Ajax HTML Delivery.

 ^ Adds support for the application/rdf+json MIME type.
  • τεχνοσοφια » JSON in Firefox 2 February 2010 8:19 UTC lackoftalent.org [Source type: General]

 ^ Using JSON in your Script or Application .
  • Using JSON with Yahoo! Web Services - YDN 2 February 2010 8:19 UTC developer.yahoo.com [Source type: Reference]
.Since JSON is a subset of JavaScript it is possible, but not recommended, to parse the JSON text into an object by invoking JavaScript's eval() function.^ Parsing the JSON response object.

 ^ A JSON text can be turned into a useful data structure with the eval function: .
  • JSON - JavaScript: The Good Parts - O'Reilly Media 2 February 2010 8:19 UTC www.oreillynet.com [Source type: FILTERED WITH BAYES]

 ^ The special JavaScript function we use to convert JSON text into an object is called eval , short for evaluate.
  • Get Started With JSON - Webmonkey 2 February 2010 8:19 UTC www.webmonkey.com [Source type: General]

 .For example, assume the above JSON text segment is contained in the JavaScript string variable contact.^ For example, if you had a JavaScript file that contained the following JSON: .
  • JSON Hijacking 2 February 2010 8:19 UTC haacked.com [Source type: General]

 ^ JavaScript variable into a valid JSON string.
  • JSON.js 2 February 2010 8:19 UTC devpro.it [Source type: Reference]

 ^ The idea behind JSON is that we can use the browser's tag to load a script from another serve that contains data encoded as JavaScript data structures rather than code.
  • json « Software and Opinions 2 February 2010 8:19 UTC ianloic.com [Source type: General]

 Creating a JavaScript object, p, from the JSON data could be done with the statement:
 var p = eval("(" + contact + ")");
.The contact variable must be wrapped in parentheses to avoid an ambiguity in JavaScript's syntax.^ The JSON syntax is like JavaScript's object literal syntax except that the objects cannot be assigned to a variable.

 ^ Data = eval('(' + myJSONText + ')'); (The concatenation of the parentheses around the JSON text is a workaround for an ambiguity in JavaScript's grammar.
  • JSON - JavaScript: The Good Parts - O'Reilly Media 2 February 2010 8:19 UTC www.oreillynet.com [Source type: FILTERED WITH BAYES]

 [4]
.The recommended way, however, is to use a JSON parser.^ Use the JSON parser to stringify the object.

 ^ The parser of the application used to create the JSON .
  • json · Microformats Wiki 2 February 2010 8:19 UTC microformats.org [Source type: Reference]

 ^ Use a existing JSON parser or a library ( jquery is my favorite).
  • How to use JSON | Javascript Kata 2 February 2010 8:19 UTC www.javascriptkata.com [Source type: FILTERED WITH BAYES]

 Parsers are now built into advanced browsers like Firefox 3.5 and IE 8.0.
  var p = JSON.parse(contact);
.The parsed data fields are accessible using standard JavaScript syntax: p.firstName, p.address.city, p.phoneNumbers[0] etc.^ I use JSON when the recipient of the data is Javascript.
  • Are XML and JSON homeomorphic? 2 February 2010 8:19 UTC www.webmasterworld.com [Source type: Original source]

 ^ By structuring a data payload as a JSON response, you are effectively bypassing the need to parse an XML document in a browser typically done via JavaScript of course to get to the actual data.

 ^ JSON (JavaScript Object Notation) < http://json.org > is a subset of JavaScript syntax (ECMA-262 3rd edition) used as a lightweight data interchange format.
  • 19.2. json — JSON encoder and decoder — Python v2.6.4 documentation 2 February 2010 8:19 UTC docs.python.org [Source type: Reference]
  • 18.2. json — JSON encoder and decoder — Python v3.0.1 documentation 2 February 2010 8:19 UTC docs.python.org [Source type: Reference]
.Unless you absolutely trust the source of the text, and you have a need to parse and accept text that is not strictly JSON-compliant, you should avoid eval() and use JSON.parse() or another JSON-specific parser instead.^ Use the JSON parser to stringify the object.

 ^ The use of eval() in JSON.parse is inherently risky.
  • Cross-browser JSON Serialization in JavaScript 2 February 2010 8:19 UTC www.sitepoint.com [Source type: FILTERED WITH BAYES]

 ^ Post some json that fails and you source that calls the parser.

 .A JSON parser will recognize only JSON text and will reject other text, which could contain malevolent JavaScript.^ JavaScript parser, not a JSON parser.

 ^ Web Services will not contain hostile code you may be more comfortable with a JSON parser which simply checks the JSON text for structure without executing any of the code.
  • Using JSON with Yahoo! Web Services - YDN 2 February 2010 8:19 UTC developer.yahoo.com [Source type: Reference]

 ^ Wikipedia describes JSON as "a text-based, human-readable format for representing other data structures and is mainly used to transmit such structured data over a network connection..."
  • verve8media ActionScript » Blog Archive » JSON to Flash: An eBay case study. 2 February 2010 8:19 UTC actionscript.verve8media.com [Source type: FILTERED WITH BAYES]

 .In browsers that provide native JSON support, JSON parsers are also much faster than eval.^ I heard JsonExSerializer is much faster than Json.Net, is it true.

 ^ It is the native equivalent of the reference parser provided at JSON support .
  • IEBlog : Native JSON in IE8 2 February 2010 8:19 UTC blogs.msdn.com [Source type: General]

 ^ By its nature, eval is much faster than the original parser.
  • Tag: json :: Crisis Averted! 2 February 2010 8:19 UTC socket7.net [Source type: General]

 .It is expected that native JSON support will be included in the next ECMAScript standard.^ Native JSON support has two advantages: .
  • better security and performance with native JSON ✩ Mozilla Hacks – the Web developer blog 2 February 2010 8:19 UTC hacks.mozilla.org [Source type: FILTERED WITH BAYES]

 ^ Included in this new version of ECMAScript , of which the popular JavaScript is a dialect, is native support for using JavaScript Object Notation (JSON).
  • JSON data interchange format gets standards blessing - Network World 2 February 2010 8:19 UTC www.networkworld.com [Source type: General]

 ^ To solve this problem, Jquery now supports JSONP natively, you will load JSON from a remote url then an extra callback will be provided for the server to interpret.
  • JSON | rapid-DEV.net 2 February 2010 8:19 UTC rapid-dev.net [Source type: General]

 [1]

JSON schema

.There are several ways to verify the structure and data types inside a JSON object, much like an XML schema.^ In essence it is XML as a string returned inside a JSON object.
  • Ajaxian » JSON 2 February 2010 8:19 UTC ajaxian.com [Source type: General]

 ^ It creates PowerShell objects from JSON data.
  • Implementing a JSON parser 2 February 2010 8:19 UTC dougfinke.com [Source type: General]

 ^ JSON seems like a logical way to represent this kind of data structure.
.JSON Schema[5] is a specification for a JSON-based format for defining the structure of JSON data.^ Convert data to JSON format.
  • Using JSON to Exchange Data | BetterExplained 2 February 2010 8:19 UTC betterexplained.com [Source type: General]

 ^ JSON is primarily a data format for transfer.

 ^ JSON is built for data structures.
  • Ajaxian » JSON vs. XML: The Debate 2 February 2010 8:19 UTC ajaxian.com [Source type: General]

 .JSON Schema provides a contract for what JSON data is required for a given application and how it can be modified, much like what XML Schema provides for XML. JSON Schema is intended to provide validation, documentation, and interaction control of JSON data.^ JSON Schema provides a contract for what JSON data is required for a given application and how it can be modified, much like what XML Schema provides for XML. JSON Schema is intended to provide validation, documentation, and interaction control of JSON data.
  • JSON Schema Proposal 2 February 2010 8:19 UTC json-schema.org [Source type: Reference]

 ^ Modifying JSON data .
  • Benchmarking AJAX ( JSON vs XML ) 2 February 2010 8:19 UTC www.navioo.com [Source type: Reference]

 ^ JSON Schema provides a contract for what JSON data is required for a given application and how to interact with it.
  • draft-zyp-json-schema-01 - A JSON Media Type for Describing the Structure and Meaning of JSON Documents 2 February 2010 8:19 UTC tools.ietf.org [Source type: Reference]

 .JSON Schema is based on the concepts from XML Schema, RelaxNG, and Kwalify, but is intended to be JSON-based, so that JSON data in the form of a schema can be used to validate JSON data, the same serialization/deserialization tools can be used for the schema and data, and it can be self descriptive.^ XML and JSON are not intended for serious serialization.
  • Ingy 2.ö: YAML and JSON 2 February 2010 8:19 UTC blog.ingy.net [Source type: General]

 ^ JSON can be used for object serialization.
  • Cross-browser JSON Serialization in JavaScript 2 February 2010 8:19 UTC www.sitepoint.com [Source type: FILTERED WITH BAYES]

 ^ JSON is used in Javascript on the Internet as an alternative to XML for organizing data.
  • What is JSON (Javascript Object Notation)? - Definition from Whatis.com - see also: JSON, Javascript Object Notation 2 February 2010 8:19 UTC searchwindevelopment.techtarget.com [Source type: FILTERED WITH BAYES]

Using JSON in Ajax

.The following JavaScript code shows how the client can use an XMLHttpRequest to request an object in JSON format from the server.^ How can I create an object using JSON like the following?

 ^ Perhaps the best string notation we can use in JavaScript is JSON — JavaScript Object Notation.
  • Cross-browser JSON Serialization in JavaScript 2 February 2010 8:19 UTC www.sitepoint.com [Source type: FILTERED WITH BAYES]

 ^ As an aside, I could use XML in the client, and I could use JSON on the server.
  • Are XML and JSON homeomorphic? 2 February 2010 8:19 UTC www.webmasterworld.com [Source type: Original source]

 .(The server-side programming is omitted; it has to be set up to respond to requests at url with a JSON-formatted string.^ Json($json) : Load the request object from a JSON string.
  • Zend Framework: Documentation: Zend_Json_Server - JSON-RPC server - Zend Framework Manual 2 February 2010 8:19 UTC framework.zend.com [Source type: Reference]

 ^ Send the URL-encoded JSON string to the server as part of the HTTP Request.

 ^ How to JSON on the server-side?
  • How to use JSON | Javascript Kata 2 February 2010 8:19 UTC www.javascriptkata.com [Source type: FILTERED WITH BAYES]

 )
.
var the_object = {}; 
var http_request = new XMLHttpRequest();
http_request.^ JSONObject; var http_request = new XMLHttpRequest(); http_request.open( "GET", url, true ); http_request.onreadystatechange = function () { if ( http_request.readyState == 4 ) { if ( http_request.status == 200 ) { JSONObject = eval( "(" + http_request.responseText + ")" ); alert( "Hello " + JSONObject.name + "!"
  •  An Introduction to JavaScript Object Notation (JSON) 2 February 2010 8:19 UTC www.webreference.com [Source type: FILTERED WITH BAYES]


open( ."GET", url, true );
http_request.^ JSONObject; var http_request = new XMLHttpRequest(); http_request.open( "GET", url, true ); http_request.onreadystatechange = function () { if ( http_request.readyState == 4 ) { if ( http_request.status == 200 ) { JSONObject = eval( "(" + http_request.responseText + ")" ); alert( "Hello " + JSONObject.name + "!"
  •  An Introduction to JavaScript Object Notation (JSON) 2 February 2010 8:19 UTC www.webreference.com [Source type: FILTERED WITH BAYES]


onreadystatechange = function () {
    if ( http_request.readyState == 4 && http_request.status == 200 ) {
            the_object = JSON.parse( http_request.responseText );
        }
};
http_request.send(null);
.Note that the use of XMLHttpRequest in this example is not cross-browser compatible; syntactic variations are available for Internet Explorer, Opera, Safari, and Mozilla-based browsers.^ As of Internet Explorer 7 and Firefox 2, use of third party JSON data exposes your web page to malicious attacks and great security risks.
  • Mastering JSON ( JavaScript Object Notation ) 2 February 2010 8:19 UTC www.hunlock.com [Source type: FILTERED WITH BAYES]

 ^ Source() is part of JavaScript 1.3 but only implemented in Mozilla based javascript engines (not Opera/IE/Safari/Chrome).
  • PHP: json_decode - Manual 2 February 2010 8:19 UTC de2.php.net [Source type: FILTERED WITH BAYES]

 ^ JSON is often used by Web server applications to serialize objects that are recreated on the browser side by Javascript code that handles AJAX based interactions.
  • MySQL to JSON (json) - PHP Classes 2 February 2010 8:19 UTC www.phpclasses.org [Source type: Reference]

 .The usefulness of XMLHttpRequest is limited by the same origin policy: the URL replying to the request must reside within the same DNS domain as the server that hosts the page containing the request.^ The full URL of the request page that was parsed .
  • json · Microformats Wiki 2 February 2010 8:19 UTC microformats.org [Source type: Reference]

 ^ The server MUST reply with the same value.
  • JSON-RPC 2.0 - JSON-RPC | Google Groups 2 February 2010 8:19 UTC groups.google.com [Source type: Reference]

 ^ So the defensor must check server side that the page that make the request come from the same domain.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 .Alternatively, the JSONP approach incorporates the use of an encoded callback function passed between the client and server to allow the client to load JSON-encoded data from third-party domains and to notify the caller function upon completion, although this imposes some security risks and additional requirements upon the server.^ Using JSON in this implies that "the other side" (client or server) has some understanding of the the data, that it's not completely self descriptive.
  • The limitations of JSON 2 February 2010 8:19 UTC blogs.sun.com [Source type: FILTERED WITH BAYES]

 ^ To use JSON for transferring data between the browser and server.

 ^ How are you using the data passed to the client.
  • Denny Dot Net | All posts tagged 'json' 2 February 2010 8:19 UTC www.dennydotnet.com [Source type: General]
.Browsers can also use <iframe> elements to asynchronously request JSON data in a cross-browser fashion, or use simple <form action="url_to_cgi_script" target="name_of_hidden_iframe"> submissions.^ Cross-browser JSON Serialization in JavaScript .
  • Cross-browser JSON Serialization in JavaScript 2 February 2010 8:19 UTC www.sitepoint.com [Source type: FILTERED WITH BAYES]

 ^ We’ll use asynchronous requests.
  • Tutorial: JSON Over HTTP On The iPhone 2 February 2010 8:19 UTC www.mobileorchard.com [Source type: General]

 ^ Example 1 - JSON Array with simple data types as elements.
  • JSON Data Set Sample 2 February 2010 8:19 UTC labs.adobe.com [Source type: Reference]

 These approaches were prevalent prior to the advent of widespread support for XMLHttpRequest.
.Dynamic <script> tags can also be used to transport JSON data.^ Enter JSON Web Services and dynamic script tags.
  • Look Ma, Cross-Domain Scripting! – BorkWeb 2 February 2010 8:19 UTC borkweb.com [Source type: General]

 ^ I use JSON when the recipient of the data is Javascript.
  • Are XML and JSON homeomorphic? 2 February 2010 8:19 UTC www.webmasterworld.com [Source type: Original source]

 ^ The dynamic script tag hack is insecure.

 .With this technique it is possible to get around the same origin policy but it is insecure.^ "Since script tags are exempt from the Same Origin Policy, a script tag can be used from any page to make a GET request of your server.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ When we try to do so, it violates the same-origin policy enforced by browsers.
  • funkatron.com : Safely parsing JSON in JavaScript 2 February 2010 8:19 UTC funkatron.com [Source type: General]

 ^ This is crucial, because modern web browsers implement "same origin" security policies.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 JSONRequest has been proposed as a safer alternative.

Security issues

.Although JSON is intended as a data serialization format, its design as a subset of the JavaScript programming language poses several security concerns.^ Cross-browser JSON Serialization in JavaScript .
  • Cross-browser JSON Serialization in JavaScript 2 February 2010 8:19 UTC www.sitepoint.com [Source type: FILTERED WITH BAYES]

 ^ XML and JSON are not intended for serious serialization.
  • Ingy 2.ö: YAML and JSON 2 February 2010 8:19 UTC blog.ingy.net [Source type: General]

 ^ JSON's design goals were for it to be minimal, portable, textual, and a subset of JavaScript.
  • RFC 4627 - The application/json Media Type for JavaScript Object Notation (JSON) 2 February 2010 8:19 UTC tools.ietf.org [Source type: Reference]

 .These concerns center on the use of a JavaScript interpreter to dynamically execute JSON text as JavaScript, thus exposing a program to errant or malicious script contained therein—often a chief concern when dealing with data retrieved from the internet.^ JSON output text can be directly compiled by JavaScript, using eval() : .
  • Using JSON with Yahoo! Web Services - YDN 2 February 2010 8:19 UTC developer.yahoo.com [Source type: Reference]

 ^ PLAIN TEXT JAVASCRIPT: script = document.
  • Ajaxian » JSON 2 February 2010 8:19 UTC ajaxian.com [Source type: General]

 ^ A script that just contains a JSON object is not a valid JavaScript file.
  • JSON Hijacking 2 February 2010 8:19 UTC haacked.com [Source type: General]

 .While not the only way to process JSON, it is an easy and popular technique, stemming from JSON's compatibility with JavaScript's eval() function, and illustrated by the following code examples.^ For example, if you had a JavaScript file that contained the following JSON: .
  • JSON Hijacking 2 February 2010 8:19 UTC haacked.com [Source type: General]

 ^ Although this can be done in JavaScript with the eval() function, it is safer to use a JSON parser.

 ^ For example, consider the following code fragments: .
  • Serializing SPARQL Query Results in JSON 2 February 2010 8:19 UTC www.w3.org [Source type: Reference]
  • Serializing SPARQL Query Results in JSON 2 February 2010 8:19 UTC www.mindswap.org [Source type: Reference]
  • Serializing SPARQL Query Results in JSON 2 February 2010 8:19 UTC www.w3.org [Source type: Reference]

JavaScript eval()

.Because all JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval() function, which was designed to evaluate JavaScript expressions.^ Introduction JavaScript Object Notation (JSON) is a text format for the serialization of structured data.
  • RFC 4627 - The application/json Media Type for JavaScript Object Notation (JSON) 2 February 2010 8:19 UTC tools.ietf.org [Source type: Reference]

 ^ The use of eval() in JSON.parse is inherently risky.
  • Cross-browser JSON Serialization in JavaScript 2 February 2010 8:19 UTC www.sitepoint.com [Source type: FILTERED WITH BAYES]

 ^ Sites are offering ways to fetch data in JSON format.
  • Implementing a JSON parser 2 February 2010 8:19 UTC dougfinke.com [Source type: General]

 .Rather than using a JSON-specific parser, the JavaScript interpreter itself is used to execute the JSON data to produce native JavaScript objects.^ Use the JSON parser to stringify the object.

 ^ JSON just represents the data itself.

 ^ Perhaps the best string notation we can use in JavaScript is JSON — JavaScript Object Notation.
  • Cross-browser JSON Serialization in JavaScript 2 February 2010 8:19 UTC www.sitepoint.com [Source type: FILTERED WITH BAYES]
.The eval technique is subject to security vulnerabilities if the data and the entire JavaScript environment is not within the control of a single trusted source.^ You should not trust data or code when it was returned from un untrusted source.
  • JSON vs XML 2 February 2010 8:19 UTC www.subbu.org [Source type: FILTERED WITH BAYES]

 ^ Note that the first two techniques automatically “eval” the javascript because it is inside a script tag.
  • Using JSON to Exchange Data | BetterExplained 2 February 2010 8:19 UTC betterexplained.com [Source type: General]

 ^ Up until this point, JSON and AJAX has been relatively secure since you are communicating with servers under your control, receiving data that is under your control.
  • Mastering JSON ( JavaScript Object Notation ) 2 February 2010 8:19 UTC www.hunlock.com [Source type: FILTERED WITH BAYES]

 .If the data is itself not trusted, for example, it may be subject to malicious JavaScript code injection attacks; unless some additional means is used to validate the data first.^ I use JSON when the recipient of the data is Javascript.
  • Are XML and JSON homeomorphic? 2 February 2010 8:19 UTC www.webmasterworld.com [Source type: Original source]

 ^ JSON (JavaScript Object Notation) < http://json.org > is a subset of JavaScript syntax (ECMA-262 3rd edition) used as a lightweight data interchange format.
  • 19.2. json — JSON encoder and decoder — Python v2.6.4 documentation 2 February 2010 8:19 UTC docs.python.org [Source type: Reference]
  • 18.2. json — JSON encoder and decoder — Python v3.0.1 documentation 2 February 2010 8:19 UTC docs.python.org [Source type: Reference]

 ^ As of Internet Explorer 7 and Firefox 2, use of third party JSON data exposes your web page to malicious attacks and great security risks.
  • Mastering JSON ( JavaScript Object Notation ) 2 February 2010 8:19 UTC www.hunlock.com [Source type: FILTERED WITH BAYES]

 .Regular expressions are sometimes used to perform this check prior to invoking eval.^ Some people, when confronted with a problem, think "I know, I'll use regular expressions."
  • JSON >> XML (at least for me) - virtualdub.org 2 February 2010 8:19 UTC virtualdub.org [Source type: FILTERED WITH BAYES]

 ^ For instance, in regular expressions, you can either use * to do a maximally greedy match, or *?
  • JSON >> XML (at least for me) - virtualdub.org 2 February 2010 8:19 UTC virtualdub.org [Source type: FILTERED WITH BAYES]

 ^ So if you are using eval() or even your own JSON library, consider checking for the native implementation in IE8 to get increased performance and safer operation.
  • IEBlog : Native JSON in IE8 2 February 2010 8:19 UTC blogs.msdn.com [Source type: General]

 .Also, such breaches of trust may create vulnerabilities for data theft, authentication forgery, and other potential misuse of data and resources.^ I've seen other formats--some that are much more vulnerable than JSON. (A list of function calls where the data is in each function call's parameter list, for example.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ My idea is that the full representation is put into the collection and that other meta-data, such as the 'edit' URI, etc.
  • RESTful JSON | BitWorking | Joe Gregorio 2 February 2010 8:19 UTC bitworking.org [Source type: General]

 ^ One approach is to convert the binary data to base 64 encoding, and another approach is to convert the binary data to other text-encoded formats, such as hex values, for example [\uDEAD, \uBEEF,...
  • Using JavaScript Object Notation (JSON) in Java ME for Data Interchange 2 February 2010 8:19 UTC java.sun.com [Source type: Reference]

 The RFC that defines JSON (RFC 4627) suggests using the following code to validate JSON before eval'ing it (the variable 'text' is the input JSON):[6]
var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u 
\r	]/.test(
text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
eval('(' + text + ')');
.A new function, parseJSON(), has been proposed as a safer alternative to eval, as it is specifically intended to process JSON data and not JavaScript.^ I use JSON when the recipient of the data is Javascript.
  • Are XML and JSON homeomorphic? 2 February 2010 8:19 UTC www.webmasterworld.com [Source type: Original source]

 ^ Although this can be done in JavaScript with the eval() function, it is safer to use a JSON parser.

 ^ JSON-RPC 2.0 Specification proposal .
  • JSON-RPC 2.0 - JSON-RPC | Google Groups 2 February 2010 8:19 UTC groups.google.com [Source type: Reference]

 .It was to be included in the Fourth Edition of the ECMAScript standard,[7] though it is available now as a JavaScript library at http://www.JSON.org/json2.js and will be in the Fifth Edition of ECMAScript.^ JSON.org/JSONRequest.html ECMAScript Fourth Ed.

 ^ It is based on a subset of the JavaScript Programming Language , Standard ECMA-262 3rd Edition - December 1999 .
  • JSON 2 February 2010 8:19 UTC json.org [Source type: Reference]

 ^ JSON (JavaScript Object Notation) < http://json.org > is a subset of JavaScript syntax (ECMA-262 3rd edition) used as a lightweight data interchange format.
  • 19.2. json — JSON encoder and decoder — Python v2.6.4 documentation 2 February 2010 8:19 UTC docs.python.org [Source type: Reference]
  • 18.2. json — JSON encoder and decoder — Python v3.0.1 documentation 2 February 2010 8:19 UTC docs.python.org [Source type: Reference]

 [citation needed]

Native JSON

.Recent web browsers now either have or are working on native JSON encoding/decoding which removes the eval() security problem above.^ Native JSON for over half a year now.
  • Native JSON in Firefox 3.1 | Mozilla Web Development 2 February 2010 8:19 UTC blog.mozilla.com [Source type: General]

 ^ JSON is often used by Web server applications to serialize objects that are recreated on the browser side by Javascript code that handles AJAX based interactions.
  • MySQL to JSON (json) - PHP Classes 2 February 2010 8:19 UTC www.phpclasses.org [Source type: Reference]

 ^ This # means that generated JSON text is encoded as UTF-8 (because ASCII is a subset # of UTF-8) and at the same time avoids decoding problems for receiving # endpoints, that don’t expect UTF-8 encoded texts.
  • Module: JSON [RDoc Documentation] 2 February 2010 8:19 UTC ruby-doc.org [Source type: FILTERED WITH BAYES]
  • JSON 2 February 2010 8:19 UTC railsapi.com [Source type: Reference]

 .Native JSON is generally faster compared to the JavaScript libraries commonly used before.^ Native JSON parsing is much faster.
  • Native JSON in Firefox 3.1 | Mozilla Web Development 2 February 2010 8:19 UTC blog.mozilla.com [Source type: General]
  • Ajaxian » JSON 2 February 2010 8:19 UTC ajaxian.com [Source type: General]

 ^ I use JSON when the recipient of the data is Javascript.
  • Are XML and JSON homeomorphic? 2 February 2010 8:19 UTC www.webmasterworld.com [Source type: Original source]

 ^ Use native JSON when available.
  • Native JSON in Firefox 3.1 | Mozilla Web Development 2 February 2010 8:19 UTC blog.mozilla.com [Source type: General]

 As of June 2009 the following browsers have or will have native JSON support:
.
  • Mozilla Firefox 3.5+[8]
  • Microsoft Internet Explorer 8[9]
  • Webkit-based browsers (e.g.^ As of Internet Explorer 7 and Firefox 2, use of third party JSON data exposes your web page to malicious attacks and great security risks.
    • Mastering JSON ( JavaScript Object Notation ) 2 February 2010 8:19 UTC www.hunlock.com [Source type: FILTERED WITH BAYES]

     ^ Internet Explorer 5 and other old browsers should use a different regular expression to check if a JSON string is valid or not.
    • JSON.js 2 February 2010 8:19 UTC devpro.it [Source type: Reference]

     ^ To date, only Firefox 3.5, Internet Explorer 8.0 and Chrome 3 beta offer native support.
    • Cross-browser JSON Serialization in JavaScript 2 February 2010 8:19 UTC www.sitepoint.com [Source type: FILTERED WITH BAYES]

     Google Chrome, Apple Safari)[10]
At least 4 popular JavaScript libraries have committed to use native JSON if available:

Comparison with other formats

Main article: lightweight markup language

XML

.XML is often used to describe structured data and to serialize objects.^ At its core, both JSON and XML are used to capture and describe structured and unstructured data.

 ^ The main aim is to use XML for describing objects ( remote objects ).

 ^ JSON can be used for object serialization.
  • Cross-browser JSON Serialization in JavaScript 2 February 2010 8:19 UTC www.sitepoint.com [Source type: FILTERED WITH BAYES]

 .Various XML-based protocols exist to represent the same kind of data structures as JSON for the same kind of data interchange purposes.^ JSON seems like a logical way to represent this kind of data structure.

 ^ JSON Schema is a specification for a JSON-based format for defining the structure of JSON data.
  • JSON Schema Proposal 2 February 2010 8:19 UTC json-schema.org [Source type: Reference]

 ^ JSON vs. XML JSON and XML are basically used for the same purpose—to represent and interchange data.
  • Benchmarking AJAX ( JSON vs XML ) 2 February 2010 8:19 UTC www.navioo.com [Source type: Reference]

 .However, XML being a general-purpose markup language, they are syntactically more complex and bigger in file size than JSON, which, in contrast, is specifically designed for data interchange.^ The amount of XML will grow as the data grows and/or becomes more complex.
  • JavaScript Object Notation: An alternative approach to data interchange 2 February 2010 8:19 UTC articles.techrepublic.com.com [Source type: General]

 ^ JSON is not a markup language.

 ^ JSON is a language independent text format for data-interchange.
.Both lack an explicit mechanism for representing large binary data types such as image data (although binary data can be serialized in either case by applying a general-purpose binary-to-text encoding scheme).^ I need a way to be explicit when describing data for SDK-type purposes.
  • Are XML and JSON homeomorphic? 2 February 2010 8:19 UTC www.webmasterworld.com [Source type: Original source]

 ^ Any data type can represent any other data type with a proper encoding.
  • mnot’s Weblog: JSON and XML 2 February 2010 8:19 UTC www.mnot.net [Source type: FILTERED WITH BAYES]

 ^ This is plain text b {base64 encoded data} .
  • Convert Atom documents to JSON 2 February 2010 8:19 UTC www.ibm.com [Source type: Reference]

 .JSON lacks references (something XML has via extensions like XLink and XPointer) and has no standard path notation comparable to XPath.^ RDF/XML is no XML + something else, it's just xml.
  • mnot’s Weblog: JSON and XML 2 February 2010 8:19 UTC www.mnot.net [Source type: FILTERED WITH BAYES]

 ^ JSON is like XML because: .
  • Understanding JSON: the 3 minute lesson 2 February 2010 8:19 UTC secretgeek.net [Source type: General]

 ^ JSON Schema provides a contract for what JSON data is required for a given application and how it can be modified, much like what XML Schema provides for XML. JSON Schema is intended to provide validation, documentation, and interaction control of JSON data.
  • JSON Schema Proposal 2 February 2010 8:19 UTC json-schema.org [Source type: Reference]

YAML

.Both functionally and syntactically, YAML is effectively a superset of JSON.[15] The common YAML library (Syck) also parses JSON.[16] Prior to YAML version 1.2, YAML was not quite a perfect superset of JSON, primarily because it lacked native handling of UTF-32 and required comma separators to be followed by a space.^ Native JSON parsing is much faster.
  • Ajaxian » JSON 2 February 2010 8:19 UTC ajaxian.com [Source type: General]

 ^ The runtime version will be 2.0 but Json.NET requires .NET 3.5 libraries.

 ^ I agree that JSON won't replace XML, but that JSON works at least as well as XML for a lot of common things like AJAX. By the way, YAML, it turns out, is a superset of JSON, which is kind of cool, because any YAML parser should be able to handle JSON as well.
  • mnot’s Weblog: JSON and XML 2 February 2010 8:19 UTC www.mnot.net [Source type: FILTERED WITH BAYES]
The most distinguishing point of comparison is that YAML offers the following syntax enrichments which have no corresponding expression in JSON:
Relational:
YAML offers syntax for relational data: rather than repeating identical data later in a document, a YAML document can refer to an anchor earlier in the file/stream. Recursive structures (for example, an array containing itself) can be expressed this way. For example, a film data base might list actors (and their attributes) under a Movie's cast, and also list Movies (and their attributes) under an Actor's portfolio.
Extensible:
YAML also offers extensible data types beyond primitives (i.e., strings, floats, ints, bools) which can include class-type declarations.
Blocks:
YAML uses a block-indent syntax to allow formatting of structured data without use of additional characters (ie: braces, brackets, quotation marks, etc.). Besides giving YAML a different appearance than JSON, this block-indent device permits the encapsulation of text from other markup languages or even JSON in the other languages native literal style and without escaping of colliding sigils.

Efficiency

.JSON is primarily used for communicating data over the Internet, but has certain characteristics that may limit its efficiency for this purpose.^ JSON is primarily a data format for transfer.

 ^ I use JSON when the recipient of the data is Javascript.
  • Are XML and JSON homeomorphic? 2 February 2010 8:19 UTC www.webmasterworld.com [Source type: Original source]

 ^ JSON is probably most widely used for communicating between the web server and client in an AJAX application, but is not limited to that problem domain.
  • Doug Hellmann: PyMOTW: json 2 February 2010 8:19 UTC blog.doughellmann.com [Source type: FILTERED WITH BAYES]

 .Most of the limitations are general limitations of textual data formats and also apply to XML and YAML. For example, decoding must be done on a character-by-character basis, and the standard has no provision for data compression, interning of strings, or object references.^ Actually, the example you gave is not valid JSON. Per the JSON spec ( RFC 4627 ), JSON elements must be either an object (defined as a {} pair), array, number, string, true, false, or null.
  • JSON vs XML 2 February 2010 8:19 UTC www.subbu.org [Source type: FILTERED WITH BAYES]

 ^ It is a text-based, human-readable format for representing simple data structures and associative arrays (called objects).

 ^ The purpose of JsonML is to provide a compact format for transporting XML-based data via JSON. .
  • Ajaxian » JSON 2 February 2010 8:19 UTC ajaxian.com [Source type: General]

 .Compression can, of course, be applied to the JSON formatted data.^ Convert data to JSON format.
  • Using JSON to Exchange Data | BetterExplained 2 February 2010 8:19 UTC betterexplained.com [Source type: General]

 ^ JSON is primarily a data format for transfer.

 ^ JSON (JavaScript Object Notation) < http://json.org > is a subset of JavaScript syntax (ECMA-262 3rd edition) used as a lightweight data interchange format.
  • 19.2. json — JSON encoder and decoder — Python v2.6.4 documentation 2 February 2010 8:19 UTC docs.python.org [Source type: Reference]
  • 18.2. json — JSON encoder and decoder — Python v3.0.1 documentation 2 February 2010 8:19 UTC docs.python.org [Source type: Reference]
.In practice performance can be comparable to that of similar binary data formats and often depends more on implementation quality than on the theoretical limitations of formats.^ JSON is a simple human readable data interchange format often used by AJAX applications when transmitting data between the server and the web application.
  • IEBlog : Native JSON in IE8 2 February 2010 8:19 UTC blogs.msdn.com [Source type: General]

 ^ It allows more of the tech pubs workforce than ever to transform raw data into aesthetic, useful pages.

 ^ The choice of one format or another has more to do with the process that will be interpreting it than the capabilities of the format itself.
  • Are XML and JSON homeomorphic? 2 February 2010 8:19 UTC www.webmasterworld.com [Source type: Original source]

JSONP

.JSONP or "JSON with padding" is a complement to the base JSON data format, a usage pattern that allows a page to request and more meaningfully use JSON from a server other than the primary server.^ Convert data to JSON format.
  • Using JSON to Exchange Data | BetterExplained 2 February 2010 8:19 UTC betterexplained.com [Source type: General]

 ^ JSON is primarily a data format for transfer.

 ^ Request() : Retrieve the request object used by the server.
  • Zend Framework: Documentation: Zend_Json_Server - JSON-RPC server - Zend Framework Manual 2 February 2010 8:19 UTC framework.zend.com [Source type: Reference]
.Under the same origin policy, a web page served from domain1.com cannot normally connect to or communicate with a server other than domain1.com.^ JSON is probably most widely used for communicating between the web server and client in an AJAX application, but is not limited to that problem domain.
  • Doug Hellmann: PyMOTW: json 2 February 2010 8:19 UTC blog.doughellmann.com [Source type: FILTERED WITH BAYES]

 ^ That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community.
  • Convert Atom documents to JSON 2 February 2010 8:19 UTC www.ibm.com [Source type: Reference]

 ^ Documents retrieved via an XmlHttpRequest object or IFRAME, on the other hand, are not accessible to a requester with a different origin than the requested document.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 .An exception is HTML <script> tags, which can retrieve data from locations other than domain1.com.^ This is using ActionScript's E4X syntax to pare down the data set to the control to only those tags where the value in the data is greater than or equal to the slider value.
  • InfoQ: Flex for XML and JSON 2 February 2010 8:19 UTC www.infoq.com [Source type: General]

 ^ If I can direct your web app's users to my page, and on my page I have a [script] tag with a SRC that calls your web app, your app's JSON code will be executed in the context of my page, and I can steal any data that is delivered.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ The browser expects the script tag to retrieve some javascript code from your server.

 .Taking advantage of the open policy for <script> tags, some pages use them to retrieve JSON from other origins.^ JavaScript Hijacking takes advantage of a hole in the Single Origin Policy.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ (Retrieved from Delicious using JSON !
  • Understanding JSON: the 3 minute lesson 2 February 2010 8:19 UTC secretgeek.net [Source type: General]

 ^ A sample page that uses JSON exploreBlog .
  • JSON Message - Ajax Patterns 2 February 2010 8:19 UTC ajaxpatterns.org [Source type: FILTERED WITH BAYES]

 .Without JSONP, a script URL that returns JSON just embeds a data statement into a browser page.^ JSON just represents the data itself.

 ^ The service returns the data as a JSON object.

 ^ The site returns the JSON to your browser.
  • JSON Hijacking 2 February 2010 8:19 UTC haacked.com [Source type: General]

 In other words, the browser would receive something like:
   {"Name": "Cheeso", "Rank": 7}
... which may be interesting but is just data, and has no externally detectable effect in the browser's execution context when received and evaluated.
With JSONP, the browser provides a JavaScript prefix to the server; by convention, the browser provides the prefix as a named query string argument in its request to the server, e.g.,
    <script type="text/javascript" src="http://domain1.com/getjson?jsonp=parseResponse"></script>
.The server then wraps its JSON response with this prefix, or "padding", before sending it to the browser.^ The process for sending data between the browser and server with JSON is as follows: .

 ^ Re: Compressed JSON I am sure this has nothing to do with the actual JSON files, but I am sending the files to the browser in gzip form and they should automagiacally decompress,...

 ^ This class will send the appropriate HTTP headers as well as serialize the response as JSON .
  • Zend Framework: Documentation: Zend_Json_Server - JSON-RPC server - Zend Framework Manual 2 February 2010 8:19 UTC framework.zend.com [Source type: Reference]

 .When the browser receives the wrapped response from the server it is now a script, rather than simply a data declaration.^ We declare this in the interface (and not inside a method) because the response comes back serially in pieces that we stitch together rather than in a complete unit.
  • Tutorial: JSON Over HTTP On The iPhone 2 February 2010 8:19 UTC www.mobileorchard.com [Source type: General]

 ^ With XML, the browser would simply fail to parse the XML into the responseXML. For small JSON data, I was able to detect errors with the FireBug extension in Firefox.
  • JSON vs XML 2 February 2010 8:19 UTC www.subbu.org [Source type: FILTERED WITH BAYES]

 ^ XML.length= 1000 XML.data[900].name= RESPONSE FROM SERVER() Total time XML in = 770 ms .
  • Benchmarking AJAX ( JSON vs XML ) 2 February 2010 8:19 UTC www.navioo.com [Source type: Reference]

 In this example, what is received is
    parseResponse({"Name": "Cheeso", "Rank": 7})
...which can cause a change of state within the browser's execution context, because it invokes a method.
.While the padding (prefix) is typically the name of a callback function that is defined within the execution context of the browser, it may also be a variable assignment, an if statement, or any other Javascript statement prefix.^ The JSON reponse from your can be turned into a proper javascript function call statement by prepending the name of the callback function first and then wrapping the JSON chunk inside a pair of parentheses.

 ^ This can lead to problems within javascript functions expecting the values to be numeric.
  • PHP: json_encode - Manual 2 February 2010 8:19 UTC www.php.net [Source type: FILTERED WITH BAYES]
  • PHP: json_encode - Manual 2 February 2010 8:19 UTC kr.php.net [Source type: FILTERED WITH BAYES]

 ^ Now, using jQuery's getJSON() we can load this even without a named callback function.
  • Ajaxian » JSON 2 February 2010 8:19 UTC ajaxian.com [Source type: General]
.The original proposal for JSONP appears to have been made by Bob Ippolito in 2005 [17] and is now used by many Web 2.0 applications such as Dojo Toolkit Applications, Google Web Toolkit Applications[18] and Web Services.^ JSON is a simple human readable data interchange format often used by AJAX applications when transmitting data between the server and the web application.
  • IEBlog : Native JSON in IE8 2 February 2010 8:19 UTC blogs.msdn.com [Source type: General]

 ^ We will only use jQuery to connect to the web service, there will be no ASP.NET AJAX library used.
  • Denny Dot Net | All posts tagged 'json' 2 February 2010 8:19 UTC www.dennydotnet.com [Source type: General]

 ^ I needed to know what I need to know how I can return JSON data from web service and how I can parse the data from client side using JQuery.....
  • DotNetShoutout - Stories tagged with JSON 2 February 2010 8:19 UTC dotnetshoutout.com [Source type: General]

 .Further extensions of this protocol have been proposed by considering additional input arguments as, for example, is the case of JSONPP[19] supported by S3DB web services.^ The stock JavaScriptSerializer that ships with System.Web.Extensions as part of .NET 3.5 also doesn't directly support ADO.NET objects.
  • DataTable JSON Serialization in JSON.NET and JavaScriptSerializer - Rick Strahl's Web Log 2 February 2010 8:19 UTC www.west-wind.com [Source type: General]

 ^ System; using System.Web; using System.Web.Services; using System.Web.Services.Protocols; using Newtonsoft.Json; .
  • Sam Shrefler » Blog Archive » Flex + JSON + .Net Sample Application / Tutorial 2 February 2010 8:19 UTC blog.shrefler.net [Source type: General]

 ^ The JSON SDK and Cocoa’s built-in support for HTTP make adding JSON web services to iPhone apps straightforward.
  • Tutorial: JSON Over HTTP On The iPhone 2 February 2010 8:19 UTC www.mobileorchard.com [Source type: General]
.Because JSONP makes use of script tags, calls are essentially open to the world.^ On the same note we could argue that N3 (Ntriples, Turtle) is limited too, because it uses triples, while real world demands still higher-level relations!
  • The limitations of JSON 2 February 2010 8:19 UTC blogs.sun.com [Source type: FILTERED WITH BAYES]

 ^ Note that the first two techniques automatically “eval” the javascript because it is inside a script tag.
  • Using JSON to Exchange Data | BetterExplained 2 February 2010 8:19 UTC betterexplained.com [Source type: General]

 ^ If I can direct your web app's users to my page, and on my page I have a [script] tag with a SRC that calls your web app, your app's JSON code will be executed in the context of my page, and I can steal any data that is delivered.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 For that reason, JSONP may be inappropriate to carry sensitive data.[20]
.Including script tags from remote sites allows the remote sites to inject any content into a website.^ Carol dynamically appends a SCRIPT tag with the SRC attribute set to a URL on Bob's site.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ However, the CCC paper begins with the assumption that the web application contains a defect such as a cross-site scripting vulnerability that allows an attacker to inject malicious code.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ The url of this script tag is your remote server.

 .If the remote sites have vulnerabilities that allow JavaScript injection, the original site can also be affected.^ This does not require any cross-site scripting vulnerability in the AJAX application; all it requires is for the victim to visit the attacker's page, and for the AJAX application to encode messages in a vulnerable JavaScript format.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ "As a web developer, you'll already know that JavaScript™ is a powerful language, allowing you to add an impressive array of dynamic functionality to otherwise static web sites.

Cross-site request forgery

.Naïve deployments of JSONP are subject to cross-site request forgery attacks (CSRF or XSRF).^ There's also no need for a browser bug or DOM-access to exploit XSRF (Cross-site request forgery)-bugs.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ This really does seem to be a special case of CSRF (aka XSRF) attacks.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ This may sound familiar as it is really a variant of a Cross Site Request Forgery (CSRF) attack which I wrote about before.
  • JSON Hijacking 2 February 2010 8:19 UTC haacked.com [Source type: General]

 [21] .Because the HTML <script> tag does not respect the same origin policy in web browser implementations, a malicious page can request and obtain JSON data belonging to another site.^ Enter JSON Web Services and dynamic script tags.
  • Look Ma, Cross-Domain Scripting! – BorkWeb 2 February 2010 8:19 UTC borkweb.com [Source type: General]

 ^ JSON data is built into the page.

 ^ That JavaScript can then be injected as a script tag in your web page.
  • Dave Johnson » JSON 2 February 2010 8:19 UTC blogs.nitobi.com [Source type: FILTERED WITH BAYES]

 .This will allow the JSON-encoded data to be evaluated in the context of the malicious page, possibly divulging passwords or other sensitive data if the user is currently logged into the other site.^ Project Page Download Forums Javadoc Testimonials Blog Change Log JavaScript Object Notation (aka JSON) is a very popular alternative to XML for transmitting data to the web browser.

 ^ It allows more of the tech pubs workforce than ever to transform raw data into aesthetic, useful pages.

 ^ Stand-Alone JSON Serialization JSON (JavaScript Object Notation) is a data format that is specifically designed to be used by JavaScript code running on Web pages inside the browser.
  • Stand-Alone JSON Serialization 2 February 2010 8:19 UTC msdn.microsoft.com [Source type: Reference]
.This is only a problem if the JSON-encoded data contains sensitive information that should not be disclosed to a third party, and the server depends on the browser's Same Origin Policy to block the delivery of the data in the case of an improper request.^ The data contains private information 4.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ JSON string should be JSON-Encoded.
  • Ajaxian » JSON vs. XML: The Debate 2 February 2010 8:19 UTC ajaxian.com [Source type: General]

 ^ The JSON data comes from the same server that vended the page.

 .There is no problem if the server determines the propriety of the request itself, only putting the data on the wire if the request is proper.^ We will only use jQuery to connect to the web service, there will be no ASP.NET AJAX library used.
  • Denny Dot Net | All posts tagged 'json' 2 February 2010 8:19 UTC www.dennydotnet.com [Source type: General]

 ^ The safest approach is to only store public data with JSON. If you store private data in JSON (or XML for that matter), there are techniques where malicious sites can impersonate logged-on users.
  • Using JSON to Exchange Data | BetterExplained 2 February 2010 8:19 UTC betterexplained.com [Source type: General]

 ^ Jun 26, 2009 2:44 AM # re: JSON Hijacking What about to check referrer on the json request and send json data only to referrers in white list?
  • JSON Hijacking 2 February 2010 8:19 UTC haacked.com [Source type: General]

 Cookies are not by themselves adequate for determining if a request was authorized. .Exclusive use of cookies is subject to cross-site request forgery.^ There's also no need for a browser bug or DOM-access to exploit XSRF (Cross-site request forgery)-bugs.
  • Schneier on Security: JavaScript Hijacking 2 February 2010 8:19 UTC www.schneier.com [Source type: General]

 ^ This may sound familiar as it is really a variant of a Cross Site Request Forgery (CSRF) attack which I wrote about before.
  • JSON Hijacking 2 February 2010 8:19 UTC haacked.com [Source type: General]

 ^ The bad guy has tricked the victim’s browser to issue a request for the JSON containing sensitive information using the browser’s credentials (aka the auth cookie).
  • JSON Hijacking 2 February 2010 8:19 UTC haacked.com [Source type: General]

Object references

.The JSON standard does not support object references, but the Dojo Toolkit illustrates how conventions can be adopted to support such references using standard JSON. Specifically, the dojox.json.ref module provides support for several forms of referencing including circular, multiple, inter-message, and lazy referencing.^ It is the native equivalent of the reference parser provided at JSON support .
  • IEBlog : Native JSON in IE8 2 February 2010 8:19 UTC blogs.msdn.com [Source type: General]

 ^ How can I create an object using JSON like the following?

 ^ JSON can be used for object serialization.
  • Cross-browser JSON Serialization in JavaScript 2 February 2010 8:19 UTC www.sitepoint.com [Source type: FILTERED WITH BAYES]

 [22]

See also

References

  1. ^ Crockford, Douglas (May 28, 2009). "Introducing JSON". json.org. http://json.org. Retrieved July 3, 2009. 
  2. ^ Yahoo!. "Using JSON with Yahoo! Web services". http://developer.yahoo.com/common/json.html. Retrieved July 3, 2009. 
  3. ^ Google. "Using JSON with Google Data APIs". http://code.google.com/apis/gdata/json.html. Retrieved July 3, 2009. 
  4. ^ Crockford, Douglas (July 9, 2008). "JSON in JavaScript". json.org. http://www.json.org/js.html. Retrieved September 8, 2008. 
  5. ^ http://json-schema.org
  6. ^ Douglas Crockford (July 2006). "IANA Considerations". The application/json Media Type for JavaScript Object Notation (JSON). IETF. sec. 6. RFC 4627. http://tools.ietf.org/html/rfc4627#section-6. Retrieved October 21, 2009. 
  7. ^ Crockford, Douglas (December 6, 2006). "JSON: The Fat-Free Alternative to XML". http://www.json.org/fatfree.html. Retrieved July 3, 2009. 
  8. ^ "Using Native JSON". June 30, 2009. https://developer.mozilla.org/en/Using_JSON_in_Firefox. Retrieved July 3, 2009. 
  9. ^ Barsan, Corneliu (September 10, 2008). "Native JSON in IE8". http://blogs.msdn.com/ie/archive/2008/09/10/native-json-in-ie8.aspx. Retrieved July 3, 2009. 
  10. ^ Hunt, Oliver (June 22, 2009). "Implement ES 3.1 JSON object". https://bugs.webkit.org/show_bug.cgi?id=20031. Retrieved July 3, 2009. 
  11. ^ "YUI 2: JSON utility". September 1, 2009. http://developer.yahoo.com/yui/json/#native. Retrieved October 22, 2009. 
  12. ^ "Ticket #4429". May 22, 2009. http://dev.jquery.com/ticket/4429. Retrieved July 3, 2009. 
  13. ^ "Ticket #8111". June 15, 2009. http://trac.dojotoolkit.org/ticket/8111. Retrieved July 3, 2009. 
  14. ^ "Ticket 419". October 11, 2008. https://mootools.lighthouseapp.com/projects/2706/tickets/419-use-the-native-json-object-if-available. Retrieved July 3, 2009. 
  15. ^ Ben-Kiki, Oren; Evans, Clark; döt Net, Ingy (May 13, 2008). "YAML Ain’t Markup Language (YAML) Version 1.2". http://yaml.org/spec/1.2/#id2560236. Retrieved July 3, 2009. "YAML can therefore be viewed as a natural superset of JSON, offering improved human readability and a more complete information model. This is also the case in practice; every JSON file is also a valid YAML file. This makes it easy to migrate from JSON to YAML if/when the additional features are required." 
  16. ^ RedHanded (April 7, 2005). "YAML is JSON". http://redhanded.hobix.com/inspect/yamlIsJson.html. Retrieved July 3, 2009. 
  17. ^ "Remote JSON - JSONP". from __future__ import *. Bob.pythonmac.org. December 5, 2005. http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/. Retrieved September 8, 2008. 
  18. ^ "GWT Tutorial: How to Read Web Services Client-Side with JSONP". Google Web Toolkit Applications. February 6, 2008. http://www.gwtapps.com/?p=42. Retrieved July 3, 2009. 
  19. ^ Almeida, Jonas (June 11, 2008). "JSON, JSONP, JSONPP?". S3DB. http://sites.google.com/a/s3db.org/s3db/documentation/mis/json-jsonp-jsonpp. Retrieved April 26, 2009. 
  20. ^ RIAspot. "JSON P for Cross Site XHR". http://www.riaspot.com/blogs/entry/JSONP-for-Cross-Site-XHR. 
  21. ^ Grossman, Jeremiah (January 27, 2006). "Advanced Web Attack Techniques using GMail". http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html. Retrieved July 3, 2009. 
  22. ^ Zyp, Kris (June 17, 2008). "JSON referencing in Dojo". http://www.sitepen.com/blog/2008/06/17/json-referencing-in-dojo. Retrieved July 3, 2009. 

External links


JSON
Filename extension .json
Internet media type application/json
Type of format Data interchange
Extended from JavaScript
Standard(s) RFC 4627
Website http://json.org

JSON (an acronym for JavaScript Object Notation (pronounced /dʒeɪsɔːn/)) is a lightweight text-based open standard designed for human-readable data interchange. It is derived from the JavaScript programming language for representing simple data structures and associative arrays, called objects. Despite its relationship to JavaScript, it is language-independent, with parsers available for virtually every programming language.

The JSON format was originally specified by Douglas Crockford, and is described in RFC 4627. The official Internet media type for JSON is application/json. The JSON filename extension is .json.

The JSON format is often used for serializing and transmitting structured data over a network connection. It is primarily used to transmit data between a server and web application, serving as an alternative to XML.

Contents

History

Douglas Crockford was the first to specify and popularize the JSON format.[1]

JSON was used at State Software, a company co-founded by Crockford, starting around 2001. The JSON.org website was launched in 2002. In December 2005, Yahoo! began offering some of its web services in JSON.[2] Google started offering JSON feeds for its GData web protocol in December 2006.[3]

Although JSON was based on a subset of the JavaScript programming language (specifically, Standard ECMA-262 3rd Edition—December 1999[4]) and is commonly used with that language, it is considered to be a language-independent data format. Code for parsing and generating JSON data is readily available for a large variety of programming languages. json.org provides a comprehensive listing of existing JSON libraries, organized by language.

Data types, syntax and example

JSON's basic types are:

The following example shows the JSON representation of an object that describes a person. The object has string fields for first name and last name, a number field for age, contains an object representing the person's address, and contains a list (an array) of phone number objects.

{ 

    "firstName": "John",
    "lastName": "Smith",
    "age": 25,
    "address": 
    {
        "streetAddress": "21 2nd Street",
        "city": "New York",
        "state": "NY",
        "postalCode": "10021"
    },
    "phoneNumber": 
    [
        {
          "type": "home",
          "number": "212 555-1234"
        },
        {
          "type": "fax",
          "number": "646 555-4567"
        }
    ]
}

A strictly bijective equivalent for the above in XML could be: 

 firstName     John
 lastName      Smith
 age           25
 address
   
     streetAddress 21 2nd Street
     city          New York
     state         NY
     postalCode    10021
   
 
 phoneNumber
   
     
       type          home
       number        212 555-1234
     
     
       type          fax
       number        646 555-4567

Since JSON is a subset of JavaScript it is possible (but not recommended) to parse the JSON text into an object by invoking JavaScript's eval() function. For example, if the above JSON data is contained within a JavaScript string variable contact, one could use it to create the JavaScript object p like so: 

var p = eval("(" + contact + ")");

The contact variable must be wrapped in parentheses to avoid an ambiguity in JavaScript's syntax.[5]

The recommended way, however, is to use a JSON parser. Unless a client absolutely trusts the source of the text, or must parse and accept text which is not strictly JSON-compliant, one should avoid eval(). A correctly implemented JSON parser will accept only valid JSON, preventing potentially malicious code from running.

Modern browsers, such as Firefox 3.5 and Internet Explorer 8, include special features for parsing JSON. As native browser support is more efficient and secure than eval(), it is expected that native JSON support will be included in the next ECMAScript standard.[6]

JSON schema

There are several ways to verify the structure and data types inside a JSON object, much like an XML schema.

JSON Schema[7] is a specification for a JSON-based format for defining the structure of JSON data. JSON Schema provides a contract for what JSON data is required for a given application and how it can be modified, much like what XML Schema provides for XML. JSON Schema is intended to provide validation, documentation, and interaction control of JSON data. JSON Schema is based on the concepts from XML Schema, RelaxNG, and Kwalify, but is intended to be JSON-based, so that JSON data in the form of a schema can be used to validate JSON data, the same serialization/deserialization tools can be used for the schema and data, and it can be self descriptive.

Using JSON in Ajax

The following JavaScript code shows how the client can use an XMLHttpRequest to request an object in JSON format from the server. (The server-side programming is omitted; it has to be set up to respond to requests at url with a JSON-formatted string.)

var my_JSON_object = {}; var http_request = new XMLHttpRequest(); http_request.open( "GET", url, true ); http_request.onreadystatechange = function () { 

 if (http_request.readyState == 4 && http_request.status == 200){
      my_JSON_object = JSON.parse( http_request.responseText );
 }

}; http_request.send(null);

Note that the use of XMLHttpRequest in this example is not cross-browser compatible; syntactic variations are available for Internet Explorer, Opera, Safari, and Mozilla-based browsers. The usefulness of XMLHttpRequest is limited by the same origin policy: the URL replying to the request must reside within the same DNS domain as the server that hosts the page containing the request. Alternatively, the JSONP approach incorporates the use of an encoded callback function passed between the client and server to allow the client to load JSON-encoded data from third-party domains and to notify the caller function upon completion, although this imposes some security risks and additional requirements upon the server.

Browsers can also use <iframe> elements to asynchronously request JSON data in a cross-browser fashion, or use simple

submissions. These approaches were prevalent prior to the advent of widespread support for XMLHttpRequest.

Dynamic

The server then wraps its JSON response with this prefix, or "padding", before sending it to the browser. When the browser receives the wrapped response from the server it is now a script, rather than simply a data declaration. In this example, what is received is 

  parseResponse({"Name": "Cheeso", "Rank": 7})

...which can cause a change of state within the browser's execution context, because it invokes a method.

The Padding

While the padding (prefix) is typically the name of a callback function that is defined within the execution context of the browser, it may also be a variable assignment, an if statement, or any other Javascript statement prefix.

Script Tag Injection

But to make a JSONP call, you need a script tag. Therefore, for each new JSONP request, the browser must add a new







Got something to say? Make a comment.
Your name
Your email address
Message
Please enter the solution to case below
12+8=