Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

encoding/json: add Encoder option to control escaping behavior #14749

Closed
cyberphone opened this issue Mar 10, 2016 · 7 comments

Comments

Projects
None yet
6 participants
@cyberphone
Copy link

commented Mar 10, 2016

  1. What version of Go are you using? 5.3
  2. What operating system and processor architecture are you using? amd64,windows
  3. What did you do?
package main

import "fmt"
import "encoding/json"

func main() {
    mapD := map[string]string{"trouble": "</script>"}
    mapB, _ := json.Marshal(mapD)
    fmt.Println(string(mapB))
}
  1. What did you expect to see?
    {"trouble":"</script>"}
  2. What did you see instead?
    {"trouble":"\u003c/script\u003e"}

Related: #14135

Comment: In my JSON implementation for Java, I have made JavaScript serialization an option. When supplied as JavaScript the above does not break signatures (JSON.stringify() performs the normal serialization), but "on the wire" you should IMHO always use ES6: https://mailarchive.ietf.org/arch/msg/json/I2dF4osWAUlvax48WTxnAei3ldQ

@minux minux changed the title JSON serialization of angle brackets is incompatible with ES6 encoding/json: serialization of angle brackets is incompatible with ES6 Mar 10, 2016

@minux

This comment has been minimized.

Copy link
Member

commented Mar 10, 2016

@odeke-em

This comment has been minimized.

Copy link
Member

commented Mar 10, 2016

The reason for this behavior is explained here https://golang.org/pkg/encoding/json/#Marshal
screen shot 2016-03-10 at 3 16 55 pm

For the time being if this issue is blocking you, please see http://stackoverflow.com/a/25923407.

@cyberphone

This comment has been minimized.

Copy link
Author

commented Mar 11, 2016

Yes, this is perfectly legal JSON but hardly no other JSON serializer does this.

The use case for following ES6 is enabling "crypto safe" JSON/JavaScript that can travel between different systems without getting corrupted:
https://cyberphone.github.io/openkeystore/resources/docs/jsonsignatures.html

The best solution to this problem is offering different options/modes for serialization which I did in my Java implementation:
https://github.com/cyberphone/openkeystore/blob/master/library/src/org/webpki/json/JSONOutputFormats.java
It wasn't very difficult :-)

@bradfitz

This comment has been minimized.

Copy link
Member

commented Apr 10, 2016

Let's make this bug about adding a method on json.Encoder to change its quoting behavior. The default will be unchanged.

(a method similar to https://golang.org/pkg/encoding/json/#Decoder.UseNumber or https://tip.golang.org/pkg/encoding/json/#Encoder.Indent)

@bradfitz bradfitz changed the title encoding/json: serialization of angle brackets is incompatible with ES6 encoding/json: add Encoder option to control escaping behavior Apr 10, 2016

@cespare

This comment has been minimized.

Copy link
Contributor

commented Apr 10, 2016

I can send a CL. (Or does this need more buy-in first?)

@bradfitz

This comment has been minimized.

Copy link
Member

commented Apr 10, 2016

Send a CL. It has a valid use case for JSON signing, etc.

@gopherbot

This comment has been minimized.

Copy link

commented Apr 10, 2016

CL https://golang.org/cl/21796 mentions this issue.

@gopherbot gopherbot closed this in ab52ad8 Apr 22, 2016

@golang golang locked and limited conversation to collaborators Apr 22, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.