JavaScript Object Notation | |
---|---|
Filename extension | .json |
Internet media type | application/json |
Extended from | [[Extended from::JavaScript]] |
Type | Markup language |
Standard | RFC 4627 |
Website | http://json.org |
File formats category - |
JavaScript Object Notation, or JSON, is a lightweight computer data interchange format. It is a text-based, human-readable format for representing simple data structures and associative arrays (called objects) in serialization and serves as an alternative to XML.
The JSON format was originally specified in RFC 4627 by Douglas Crockford.
Syntax[]
A JSON object is identified by curly brackets.
{ }
Objects are assigned properties as it acts as an associative array. It can contain key-value pairs, where the key is a string and the value is any of the following: a number, a string, another JSON object, a JSON array, true
, false
, and null
. The key-value pairs are separated by commas. The key and the value are separated by a colon.
{"name": "Christine", "age": 23}
Arrays are sets of possible JSON values identified by square brackets. Each value is separated by a comma.
{"list": [{"item": "apple", "quantity": 2}, {"item": "orange", "quantity": 1}]}
JSON strings are escaped with backslashes similar to JavaScript.
The following example shows the JSON representation of an object that describes a person. The object has string fields for first name and last name, contains an object representing the person's address, and contains a list (an array) of phone number objects.
{
"firstName": "John",
"lastName": "Smith",
"age": 25,
"address": {
"streetAddress": "21 2nd Street",
"city": "New York",
"state": "NY",
"postalCode": "10021"
},
"phoneNumber": [
{ "type": "home", "number": "212 555-1234" },
{ "type": "fax", "number": "646 555-4567" }
],
}
A possible equivalent for the above in XML could be:
<Person>
<firstName>John</firstName>
<lastName>Smith</lastName>
<age>25</age>
<address>
<streetAddress>21 2nd Street</streetAddress>
<city>New York</city>
<state>NY</state>
<postalCode>10021</postalCode>
</address>
<phoneNumber type="home">212 555-1234</phoneNumber>
<phoneNumber type="fax">646 555-4567</phoneNumber>
</Person>
Since JSON is a subset of JavaScript it is possible, but not recommended, to parse the JSON text into an object by invoking JavaScript's eval()
function. For example, assume the above JSON text segment is contained in the JavaScript string variable contact
. Creating a JavaScript object, p, from the JSON data could be done with the statement:
var p = eval("(" + contact + ")");
The contact
variable must be wrapped in parentheses to avoid an ambiguity in JavaScript's syntax.
The recommended way, however, is to use a JSON parser. Unless a client absolutely trusts the source of the text, or must parse and accept text which is not strictly JSON-compliant, one should avoid eval()
. A JSON parser will accept only valid JSON, preventing potentially malicious code from running.
JSON schema[]
There are several ways to verify the structure and data types inside a JSON object, much like an XML schema.
JSON Schema[1] is a specification for a JSON-based format for defining the structure of JSON data. JSON Schema provides a contract for what JSON data is required for a given application and how it can be modified, much like what XML Schema provides for XML. JSON Schema is intended to provide validation, documentation, and interaction control of JSON data. JSON Schema is based on the concepts from XML Schema, RelaxNG, and Kwalify, but is intended to be JSON-based, so that JSON data in the form of a schema can be used to validate JSON data, the same serialization/deserialization tools can be used for the schema and data, and it can be self descriptive.
Security issues[]
Although JSON is intended as a data serialization format, its design as a subset of the JavaScript programming language poses several security concerns. These concerns center on the use of a JavaScript interpreter to dynamically execute JSON text as JavaScript, thus exposing a program to errant or malicious script contained therein—often a chief concern when dealing with data retrieved from the internet. While not the only way to process JSON, it is an easy and popular technique, stemming from JSON's compatibility with JavaScript's eval()
function, and illustrated by the following code examples.
JavaScript eval()
[]
Because all JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval()
function, which was designed to evaluate JavaScript expressions. Rather than using a JSON-specific parser, the JavaScript interpreter itself is used to execute the JSON data to produce native JavaScript objects.
Native JSON[]
Recent web browsers now either have or are working on native JSON encoding/decoding which removes the eval()
security problem above. Native JSON is generally faster compared to the JavaScript libraries commonly used before.
Comparison with other formats[]
- Main article: lightweight markup language
XML[]
XML is often used to describe structured data and to serialize objects. Various XML-based protocols exist to represent the same kind of data structures as JSON for the same kind of data interchange purposes. However, XML being a general-purpose markup language, they are syntactically more complex and bigger in file size than JSON, which, in contrast, is specifically designed for data interchange.
Both lack an explicit mechanism for representing large binary data types such as image data (although binary data can be serialized in either case by applying a general-purpose binary-to-text encoding scheme). JSON lacks references (something XML has via extensions like XLink and XPointer) and has no standard path notation comparable to XPath.
YAML[]
Both functionally and syntactically, YAML is effectively a superset of JSON. The common YAML library (Syck) also parses JSON. Prior to YAML version 1.2, YAML was not quite a perfect superset of JSON, primarily because it lacked native handling of UTF-32 and required comma separators to be followed by a space.
The most distinguishing point of comparison is that YAML offers the following syntax enrichments which have no corresponding expression in JSON:
- Relational
- YAML offers syntax for relational data: rather than repeating identical data later in a document, a YAML document can refer to an anchor earlier in the file/stream. Recursive structures (for example, an array containing itself) can be expressed this way. For example, a film data base might list actors (and their attributes) under a Movie's cast, and also list Movies (and their attributes) under an Actor's portfolio.
- Extensible
- YAML also offers extensible data types beyond primitives (i.e., strings, floats, ints, bools) which can include class-type declarations.
- Blocks
- YAML uses a block-indent syntax to allow formatting of structured data without use of additional characters (ie: braces, brackets, quotation marks, etc.). Besides giving YAML a different appearance than JSON, this block-indent device permits the encapsulation of text from other markup languages or even JSON in the other languages native literal style and without escaping of colliding sigils.
Efficiency[]
JSON is primarily used for communicating data over the Internet, but has certain characteristics that may limit its efficiency for this purpose. Most of the limitations are general limitations of textual data formats and also apply to XML and YAML. For example, decoding must be done on a character-by-character basis, and the standard has no provision for data compression, interning of strings, or object references. Compression can, of course, be applied to the JSON formatted data.
In practice performance can be comparable to that of similar binary data formats and often depends more on implementation quality than on the theoretical limitations of formats.
JSONP[]
JSONP or "JSON with padding" is a complement to the base JSON data format, a usage pattern that allows a page to request and more meaningfully use JSON from a server other than the primary server.
Under the same origin policy, a web page served from domain1.com cannot normally connect to or communicate with a server other than domain1.com. An exception is HTML <script>
tags, which can retrieve data from locations other than domain1.com. Taking advantage of the open policy for <script>
tags, some pages use them to retrieve JSON from other origins. Without JSONP, a script URL that returns JSON just embeds a data statement into a browser page. In other words, the browser would receive something like:
{"Name": "Cheeso", "Rank": 7}
... which may be interesting but is just data, and has no externally detectable effect in the browser's execution context when received and evaluated.
With JSONP, the browser provides a JavaScript prefix to the server; by convention, the browser provides the prefix as a named query string argument in its request to the server, e.g.,
<script type="text/javascript" src="http://domain1.com/getjson?jsonp=parseResponse"></script>
The server then wraps its JSON response with this prefix, or "padding", before sending it to the browser. When the browser receives the wrapped response from the server it is now a script, rather than simply a data declaration. In this example, what is received is
parseResponse({"Name": "Cheeso", "Rank": 7})
...which can cause a change of state within the browser's execution context, because it invokes a method.
While the padding (prefix) is typically the name of a callback function that is defined within the execution context of the browser, it may also be a variable assignment, an if statement, or any other Javascript statement prefix.
Because JSONP makes use of script tags, calls are essentially open to the world. For that reason, JSONP may be inappropriate to carry sensitive data.
Including script tags from remote sites allows the remote sites to inject any content into a website. If the remote sites have vulnerabilities that allow JavaScript injection, the original site can also be affected.
References[]
External links[]
- Official site
- RFC 4627, current formal JSON specification.
- JSON-Introduction By Microsoft
- JSON beautifier
- JSON Viewer
- JSON Formatter
- Video: Douglas Crockford — The JSON Saga
- JSON Validator
- JSON Editor
- JSON to XML
- XML to JSON