[Developers] Change in JSON output

Alec Flett alecf at metaweb.com
Thu Mar 5 01:05:54 UTC 2009 

> 2) That said, we are still debating internally if we're going to keep
> this or not, and should have an answer by Friday, 3/6.

And here you have your answer already: We're going to do another  
release which includes reverting back to the old, unescaped format.  
I'll post here again when the new software goes out to sandbox and www.

FWIW, the rationale (at least from my perspective) for ignoring the  
security issue is that the direct text output of mqlread is rarely, if  
ever, embedded directly in an HTML page... if you are going to embed  
json in a page, usually it is parsed by a json parser, and then some  
fragment is re-serialized, so it's up to you to make sure your  
reserialized json does this escaping.

Alec

> We're trying to
> prevent mashup developers from shooting themselves in the foot because
> someone introduces a XSS attack into the freebase data, but there's
> obviously a limit to how much we can prevent, and how much the onus is
> on developers. I would be very curious if anyone here has any specific
> opinions:
>
> a) "Let me shoot myself in the foot, I will write secure code"
> b) "Thank you for closing this hole, my application was not safe!"
> c) ?
>
> 3) We'll try to make all the APIs consistent, but one way or another
> you need to use a real JSON (or JS) parser, not try to do custom
> decoding, grepping, or string-matching against our APIs. At the moment
> the only guarantee we will make is that we output legal JSON that has
> a consistent semantic meaning AFTER parsing.
>
> Alec
>
>> Thanks,
>>
>> Kendra
>>
>> -----Original Message-----
>> From: developers-bounces at freebase.com
>> [mailto:developers-bounces at freebase.com] On Behalf Of Will Moffat
>> Sent: Wednesday, March 04, 2009 12:25 PM
>> To: For discussions about MQL, Freebase API and apps built on  
>> Freebase
>> Subject: Re: [Developers] Change in JSON output
>>
>> Dear Kendra,
>>
>>> What is the best way for the developers to know that there is a
>>> release
>>> cycle coming up?
>>
>> That's something we need to formalize, I've filled a tracking issue:
>> https://bugs.freebase.com/browse/FREEBASE-467
>>
>> Please let us know what you'd like to see.
>> regards,
>> --Will
>>
>> _______________________________________________
>> Developers mailing list
>> Developers at freebase.com
>> http://lists.freebase.com/mailman/listinfo/developers
>>
>> _______________________________________________
>> Developers mailing list
>> Developers at freebase.com
>> http://lists.freebase.com/mailman/listinfo/developers
>
> _______________________________________________
> Developers mailing list
> Developers at freebase.com
> http://lists.freebase.com/mailman/listinfo/developers

More information about the Developers mailing list