[Developers] Change in JSON output
Alec Flett
alecf at metaweb.com
Thu Mar 12 17:25:48 UTC 2009
On Mar 4, 2009, at 5:05 PM, Alec Flett wrote:
>> 2) That said, we are still debating internally if we're going to keep
>> this or not, and should have an answer by Friday, 3/6.
>
> And here you have your answer already: We're going to do another
> release which includes reverting back to the old, unescaped format.
> I'll post here again when the new software goes out to sandbox and
> www.
>
This is now deployed..here's some output cut 'n pasted from www.freebase.com/api/service/mqlread
:
{
"b2": {
"code": "/api/status/ok",
"result": [
{
"/type/reflect/any_master": [
{
"id": "/language/human_language",
"key": [
{
"namespace": "/language",
"type": "/type/key",
"value": "human_language"
}
],
...
> FWIW, the rationale (at least from my perspective) for ignoring the
> security issue is that the direct text output of mqlread is rarely, if
> ever, embedded directly in an HTML page... if you are going to embed
> json in a page, usually it is parsed by a json parser, and then some
> fragment is re-serialized, so it's up to you to make sure your
> reserialized json does this escaping.
>
> Alec
>
>> We're trying to
>> prevent mashup developers from shooting themselves in the foot
>> because
>> someone introduces a XSS attack into the freebase data, but there's
>> obviously a limit to how much we can prevent, and how much the onus
>> is
>> on developers. I would be very curious if anyone here has any
>> specific
>> opinions:
>>
>> a) "Let me shoot myself in the foot, I will write secure code"
>> b) "Thank you for closing this hole, my application was not safe!"
>> c) ?
>>
>> 3) We'll try to make all the APIs consistent, but one way or another
>> you need to use a real JSON (or JS) parser, not try to do custom
>> decoding, grepping, or string-matching against our APIs. At the
>> moment
>> the only guarantee we will make is that we output legal JSON that has
>> a consistent semantic meaning AFTER parsing.
>>
>> Alec
>>
>>> Thanks,
>>>
>>> Kendra
>>>
>>> -----Original Message-----
>>> From: developers-bounces at freebase.com
>>> [mailto:developers-bounces at freebase.com] On Behalf Of Will Moffat
>>> Sent: Wednesday, March 04, 2009 12:25 PM
>>> To: For discussions about MQL, Freebase API and apps built on
>>> Freebase
>>> Subject: Re: [Developers] Change in JSON output
>>>
>>> Dear Kendra,
>>>
>>>> What is the best way for the developers to know that there is a
>>>> release
>>>> cycle coming up?
>>>
>>> That's something we need to formalize, I've filled a tracking issue:
>>> https://bugs.freebase.com/browse/FREEBASE-467
>>>
>>> Please let us know what you'd like to see.
>>> regards,
>>> --Will
>>>
>>> _______________________________________________
>>> Developers mailing list
>>> Developers at freebase.com
>>> http://lists.freebase.com/mailman/listinfo/developers
>>>
>>> _______________________________________________
>>> Developers mailing list
>>> Developers at freebase.com
>>> http://lists.freebase.com/mailman/listinfo/developers
>>
>> _______________________________________________
>> Developers mailing list
>> Developers at freebase.com
>> http://lists.freebase.com/mailman/listinfo/developers
>
> _______________________________________________
> Developers mailing list
> Developers at freebase.com
> http://lists.freebase.com/mailman/listinfo/developers
More information about the Developers
mailing list