JSON
<templatestyles src="Module:Hatnote/styles.css"></templatestyles>
<templatestyles src="Module:Hatnote/styles.css"></templatestyles>
Filename extension | .json |
---|---|
Internet media type | application/json |
Type code | TEXT |
Uniform Type Identifier (UTI) | public.json |
Type of format | Data interchange |
Extended from | JavaScript |
Standard | RFC 7159, ECMA-404 |
Website | json |
JSON (canonically pronounced /ˈdʒeɪsən/ JAY-sən;[1] sometimes JavaScript Object Notation) is an open standard format that uses human-readable text to transmit data objects consisting of attribute–value pairs. It is the primary data format used for asynchronous browser/server communication (AJAJ), largely replacing XML (used by AJAX).
Although originally derived from the JavaScript scripting language, JSON is a language-independent data format. Code for parsing and generating JSON data is readily available in many programming languages.
The JSON format was originally specified by Douglas Crockford. It is currently described by two competing standards, RFC 7159 and ECMA-404. The ECMA standard is minimal, describing only the allowed grammar syntax, whereas the RFC also provides some semantic and security considerations.[2] The official Internet media type for JSON is application/json
. The JSON filename extension is .json
.
Contents
History
JSON grew out of a need for stateful, real-time server-to-browser communication without using browser plugins such as Flash or Java applets, which were the dominant method in the early 2000s.
Douglas Crockford was the first to specify and popularize the JSON format.[3] The acronym was coined at State Software, a company co-founded by Crockford, Chip Morningstar and Robert F. Napiltonia in April 2001 and funded by Tesla Ventures. The co-founders agreed to build a system that used standard browser capabilities and provided an abstraction layer for Web developers to create stateful Web applications that had a persistent duplex connection to a Web server by holding the two HTTP connections open and recycling them before standard browser time-outs if no further data were exchanged. The idea for the State Application Framework was developed by Morningstar at State Software.[4][5] It was used in a project at Communities.com for Cartoon Network, which used a plug-in with a proprietary messaging format to manipulate DHTML elements (this system is also owned by 3DO). Upon discovery of early Ajax capabilities, digiGroups, Noosh, and others used frames to pass information into the user browsers' visual field without refreshing a Web application's visual context, realizing real-time rich Web applications using only the standard HTTP, HTML and JavaScript capabilities of Netscape 4.0.5+ and IE 5+. Crockford then found that JavaScript could be used as an object-based messaging format for such a system. The system was sold to Sun Microsystems, Amazon.com and EDS. The JSON.org Web site was launched in 2002. In December 2005, Yahoo! began offering some of its Web services in JSON.[6] Google started offering JSON feeds for its GData web protocol in December 2006.[7]
Although JSON was originally based on a non-strict subset of the JavaScript scripting language (specifically, Standard ECMA-262 3rd Edition—December 1999[8]) and is commonly used with that language, it is a language-independent data format. Code for parsing and generating JSON data is readily available for a large variety of programming languages. JSON's Web site lists JSON libraries by language.
Though JSON is commonly perceived as being a subset of JavaScript and ECMAScript, it allows some unescaped characters in strings that are illegal in JavaScript and ECMAScript strings.[9]
A typical mashup fetches JSON-format data from several different web servers using an Open API.
Data types, syntax and example
JSON's basic types are:
- Number: a signed decimal number that may contain a fractional part and may use exponential E notation. JSON does not allow non-numbers like NaN, nor does it make any distinction between integer and floating-point. (Even though JavaScript uses a double-precision floating-point format for all its numeric values, other languages implementing JSON may encode numbers differently)
- String: a sequence of zero or more Unicode characters. Strings are delimited with double-quotation marks and support a backslash escaping syntax.
- Boolean: either of the values
true
orfalse
- Array: an ordered list of zero or more values, each of which may be of any type. Arrays use square bracket notation with elements being comma-separated.
- Object: an unordered collection of name/value pairs where the names (also called keys) are strings. Since objects are intended to represent associative arrays,[10] it is recommended, though not required,[11] that each key is unique within an object. Objects are delimited with curly brackets and use commas to separate each pair, while within each pair the colon ':' character separates the key or name from its value.
null
: An empty value, using the wordnull
Whitespace is allowed and ignored around or between syntactic elements (values and punctuation, but not within a string value). However, only four specific characters are considered whitespace for this purpose: space, horizontal tab, line feed, and carriage return. JSON does not provide or allow any sort of comment syntax.
Early versions of JSON (such as specified by RFC 4627) required that a valid JSON "document" must consist of only an object or an array type—though they could contain other types within them. This restriction was removed starting with RFC 7158, so that a JSON document may consist entirely of any possible JSON typed value.
Example
The following example shows a possible JSON representation describing a person.
{
"firstName": "John",
"lastName": "Smith",
"isAlive": true,
"age": 25,
"address": {
"streetAddress": "21 2nd Street",
"city": "New York",
"state": "NY",
"postalCode": "10021-3100"
},
"phoneNumbers": [
{
"type": "home",
"number": "212 555-1234"
},
{
"type": "office",
"number": "646 555-4567"
}
],
"children": [],
"spouse": null
}
Data portability issues
Despite the widespread belief that JSON is a strict subset of JavaScript, this is not the case. Specifically, JSON allows the Unicode line terminators U+2028 LINE SEPARATOR and U+2029 PARAGRAPH SEPARATOR to appear unescaped in quoted strings, while JavaScript does not.[12] This is a consequence of JSON disallowing only "control characters". For maximum portability these characters should be backslash-escaped. This subtlety is important when generating JSONP.
JSON permits including the null character U+0000 <control-0000> in a string as long as it is escaped (with "\u0000"). However, this may cause problems with some JSON implementations, especially those based on the C language.[13]
JSON documents can be encoded in UTF-8, UTF-16 or UTF-32, the default encoding being UTF-8.[14] These encodings support the full Unicode character set, including those characters outside the Basic Multilingual Plane (U+10000 to U+10FFFF). However, if escaped those characters must be written using UTF-16 surrogate pairs, a detail missed by some JSON parsers. For example, to include the Emoji character U+1F602 😂 FACE WITH TEARS OF JOY in JSON:
{ "face": "😂" }
// or
{ "face": "\uD83D\uDE02" }
Numbers in JSON are agnostic with regards to their representation within programming languages. No differentiation is made between an integer and floating-point value: some implementations may treat 42
, 42.0
, and 4.2E+1
as the same number while others may not. Furthermore, no requirements are made regarding implementation issues such as overflow, underflow, loss of precision, or rounding. Additionally, JSON says nothing about the treatment of signed zeros: whether 0.0
is distinct from -0.0
. Most implementations that use the IEEE 754 floating-point standard, including JavaScript, will preserve signed zeros; but not all JSON implementations may do so.
Using JSON in JavaScript
Since JSON was derived from JavaScript and its syntax is (mostly) a subset of the language, it is often possible to use the JavaScript eval()
function to parse JSON data.
var p = eval('(' + json_string + ')');
This is unsafe if the string is untrusted. Instead, a JSON parser library or JavaScript's native JSON support should be used for reading and writing JSON.
var p = JSON.parse(json_string);
A correctly implemented JSON parser will only accept valid JSON, preventing potentially malicious code from being inadvertently executed.
Since 2010, web browsers such as Firefox and Internet Explorer have included support for parsing JSON. As native browser support is more efficient and secure than eval()
, native JSON support is included in Edition 5 of the ECMAScript standard.[15]
Unsupported native data types
JavaScript syntax defines several native data types that are not included in the JSON standard:[16] Date, Error, Regular Expression, Function, and undefined
.[note 1] These JavaScript data types must be represented by some other data format, with the programs on both ends agreeing on how to convert between the types. As of 2011[update], there are some de facto standards, e.g., converting from Date to String, but none universally recognized.[17][18] Other languages may have a different set of native types that must be serialized carefully to deal with this type of conversion.
Schema and metadata
JSON Schema
JSON Schema[19] specifies a JSON-based format to define the structure of JSON data for validation, documentation, and interaction control. A JSON Schema provides a contract for the JSON data required by a given application, and how that data can be modified.
JSON Schema is based on the concepts from XML Schema (XSD), but is JSON-based. The JSON data schema can be used to validate JSON data. As in XSD, the same serialization/deserialization tools can be used both for the schema and data. The schema is self-describing.
JSON Schema is an Internet Draft, currently version 4.[20] There are several validators available for different programming languages,[21] each with varying levels of conformance.
Example JSON Schema (draft 4):
{
"$schema": "http://json-schema.org/schema#",
"title": "Product",
"type": "object",
"required": ["id", "name", "price"],
"properties": {
"id": {
"type": "number",
"description": "Product identifier"
},
"name": {
"type": "string",
"description": "Name of the product"
},
"price": {
"type": "number",
"minimum": 0
},
"tags": {
"type": "array",
"items": {
"type": "string"
}
},
"stock": {
"type": "object",
"properties": {
"warehouse": {
"type": "number"
},
"retail": {
"type": "number"
}
}
}
}
}
The JSON Schema above can be used to test the validity of the JSON code below:
{
"id": 1,
"name": "Foo",
"price": 123,
"tags": [
"Bar",
"Eek"
],
"stock": {
"warehouse": 300,
"retail": 20
}
}
MIME type
The official MIME type for JSON text is "application/json
".[22] Although most modern implementations have adopted the official MIME type, many applications continue to provide legacy support for other MIME types. Many service providers, browsers, servers, web applications, libraries, frameworks, and APIs use, expect, or recognize the (unofficial) MIME type "text/json
" or the content-type "text/javascript
". Notable examples include the Google Search API,[23] Yahoo!,[23][24] Flickr,[23] Facebook API,[25] Lift framework,[26] Dojo Toolkit 0.4,[27] etc.
Applications
JSON-RPC
JSON-RPC is an RPC protocol built on JSON, as a replacement for XML-RPC or SOAP. It is a simple protocol that defines only a handful of data types and commands. JSON-RPC lets a system send notifications (information to the server that does not require a response) and multiple calls to the server that can be answered out of order. Example of a JSON-RPC 2.0 request and response using positional parameters.
--> {"jsonrpc": "2.0", "method": "subtract", "params": [42, 23], "id": 1}
<-- {"jsonrpc": "2.0", "result": 19, "id": 1}
Ajax
JSON is often used in Ajax techniques. Ajax is a term for the ability of a webpage to request new data after it has loaded into the web browser, usually in response to user actions on the displayed webpage. As part of the Ajax model, the new data is usually incorporated into the user interface display dynamically the moment it arrives back from the server. For example, when the user is typing into a search box, client-side code sends what they type to a server that will respond with a possible list of items from its database. These might be displayed in a drop-down list beneath the search box. The user may then stop typing and select the relevant string directly. When it was originally implemented in the mid-2000s, Ajax commonly used XML as the data interchange format. Now many developers use JSON to pass the Ajax updates between the server and the client.[28]
The following JavaScript code is just one example of a client using XMLHttpRequest to request data in JSON format from a server. (The server-side programming is omitted; it must be set up to service requests to the url
containing a JSON-formatted string.)
var my_JSON_object;
var http_request = new XMLHttpRequest();
http_request.open("GET", url, true);
http_request.onreadystatechange = function () {
var done = 4, ok = 200;
if (http_request.readyState === done && http_request.status === ok) {
my_JSON_object = JSON.parse(http_request.responseText);
}
};
http_request.send(null);
Security issues
Although JSON is intended solely as a data serialization format, its design as a non-strict subset of the JavaScript scripting language poses several security concerns. These concerns center on the use of a JavaScript interpreter to execute JSON text dynamically as embedded JavaScript. This exposes a program to errant or malicious scripts. This is a serious issue when dealing with data retrieved from the Internet. This easy and popular but risky technique exploits JSON's compatibility with the JavaScript eval()
function, which is described below.
JavaScript eval()
Because most JSON-formatted text is also syntactically legal JavaScript code, a seductively easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval()
function, which was designed to evaluate JavaScript expressions. Rather than using a JSON-specific parser, the JavaScript interpreter itself is used to execute the JSON data producing native JavaScript objects. This technique is terribly risky, however, if there is any chance that the JSON data might contain arbitrary JavaScript code, which would then be executed also.
Unless precautions are taken to validate the data first, the eval technique is subject to security vulnerabilities when the data and the entire JavaScript environment are not within the control of a single trusted source. For example, if the data is itself not trusted, it is subject to malicious JavaScript code injection attacks. Such breaches of trust also can create vulnerabilities for data theft, authentication forgery, and other potential misuse of data and resources.
As a workaround, a regular expression can be used to partially validate the data prior to invoking eval()
. The RFC that defines JSON (RFC 4627) suggests using the following code to validate JSON before evaluating it (the variable 'text' is the input JSON):[29]
var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
text.replace(/"(\\.|[^"\\])*"/g, ''))) && eval('(' + text + ')');
However, this validation is now known to be insufficient.[30]
A new function, JSON.parse()
, was thus developed as a safer alternative to eval
. It is specifically intended to process JSON data and not JavaScript. It was originally planned for inclusion in the Fourth Edition of the ECMAScript standard,[31] but this did not occur. It was first added to the Fifth Edition,[32] and is now supported by the major browsers given below. For older ones, a compatible JavaScript library is available at JSON.org.
An additional issue when parsing JSON using the eval()
function is that there are some Unicode characters that are valid in JSON strings but invalid in JavaScript, so additional escaping may be needed in some cases.[33]
Native encoding and decoding in browsers
Recent Web browsers now either have or are working on native JSON encoding/decoding. Not only does this eliminate the eval()
security problem above, but it can also increase performance compared to the JavaScript libraries commonly used before. As of June 2009 the following browsers have or will have native JSON support, via JSON.parse()
and JSON.stringify()
:
- Mozilla Firefox 3.5+[34]
- Microsoft Internet Explorer 8+[35]
- Opera 10.5+[36]
- WebKit-based browsers (Apple Safari)[37]
- Blink-based browsers (e.g. Google Chrome, Opera)
At least five popular JavaScript libraries have committed to use native JSON, if available:
Implementation-specific issues
Various JSON parser implementations suffered in the past from denial-of-service attack and mass assignment vulnerability.[43][44]
Object references
The JSON standard does not support object references, but an IETF draft standard for JSON-based object references exists [1]. The Dojo Toolkit supports object references using standard JSON; specifically, the dojox.json.ref module provides support for several forms of referencing including circular, multiple, inter-message, and lazy referencing.[45][46] Alternatively, non-standard solutions exist such as the use of Mozilla JavaScript Sharp Variables, although this functionality has been removed in Firefox version 12.[47]
Comparison with other formats
<templatestyles src="Module:Hatnote/styles.css"></templatestyles>
JSON is promoted as a low-overhead alternative to XML as both of these formats have widespread support for creation, reading and decoding in the real-world situations where they are commonly used.[48] Apart from XML, examples could include OGDL, YAML and CSV. Also, Google Protocol Buffers can fill this role, although it is not a data interchange language.
YAML
YAML version 1.2 is a superset of JSON; prior versions were "not strictly compatible". For example, escaping a slash (/) with a backslash (\) is valid JSON, but was not valid YAML. (This is common practice when injecting JSON into HTML to protect against cross-site scripting attacks.) Nonetheless, many YAML parsers can natively parse the output from many JSON encoders.[49]
XML
XML has been used to describe structured data and to serialize objects. Various XML-based protocols exist to represent the same kind of data structures as JSON for the same kind of data interchange purposes. Data can be encoded in XML several ways. The most expansive form using tag pairs results in a much larger representation than JSON, but if data is stored in attributes and 'short tag' form where the closing tag is replaced with 'slash-greater than', the representation is often about the same size as JSON or just a little larger. If the data is compressed using an algorithm like gzip, there is little difference because compression is good at saving space when a pattern is repeated.
XML also has the concept of schema. This permits strong typing, user-defined types, predefined tags, and formal structure, allowing for formal validation of an XML stream in a portable way. There is, however, an IETF draft proposal for a schema system for JSON[2].
XML supports comments, but JSON does not.[50]
Samples
JSON sample
{
"firstName": "John",
"lastName": "Smith",
"age": 25,
"address": {
"streetAddress": "21 2nd Street",
"city": "New York",
"state": "NY",
"postalCode": "10021"
},
"phoneNumber": [
{
"type": "home",
"number": "212 555-1234"
},
{
"type": "fax",
"number": "646 555-4567"
}
],
"gender": {
"type": "male"
}
}
Both of the following examples carry the same kind of information as the JSON example above in different ways.
YAML sample
The JSON code above is also entirely valid YAML. YAML also offers an alternative syntax intended to be more human-accessible by replacing nested delimiters like {}
, []
, and "
marks with structured whitespace indents.[49]
---
firstName: John
lastName: Smith
age: 25
address:
streetAddress: 21 2nd Street
city: New York
state: NY
postalCode: 10021
phoneNumber:
- type: home
number: 212 555-1234
- type: fax
number: 646 555-4567
gender:
type: male
XML samples
<person>
<firstName>John</firstName>
<lastName>Smith</lastName>
<age>25</age>
<address>
<streetAddress>21 2nd Street</streetAddress>
<city>New York</city>
<state>NY</state>
<postalCode>10021</postalCode>
</address>
<phoneNumbers>
<phoneNumber>
<type>home</type>
<number>212 555-1234</number>
</phoneNumber>
<phoneNumber>
<type>fax</type>
<number>646 555-4567</number>
</phoneNumber>
</phoneNumbers>
<gender>
<type>male</type>
</gender>
</person>
The properties can also be serialized using attributes instead of tags:
<person firstName="John" lastName="Smith" age="25">
<address streetAddress="21 2nd Street" city="New York" state="NY" postalCode="10021" />
<phoneNumbers>
<phoneNumber type="home" number="212 555-1234"/>
<phoneNumber type="fax" number="646 555-4567"/>
</phoneNumbers>
<gender type="male"/>
</person>
The XML encoding may therefore be comparable in length to the equivalent JSON encoding. A wide range of XML processing technologies exist, from the Document Object Model to XPath and XSLT. XML can also be styled for immediate display using CSS. XHTML is a form of XML so that elements can be passed in this form ready for direct insertion into webpages using client-side scripting.
See also
- JSON Streaming
- Other formats
- HOCON—Human-Optimized Config Object Notation, a superset of JSON
- YAML—Another datastorage format that is a superset of JSON[51]
- S-expression—the comparable LISP format for trees as text.
- JSONP—JSON with Padding, a pattern of usage commonly employed when retrieving JSON across domains
- GeoJSON—an open format for encoding a variety of geographic data structures
- JSON-LD—JavaScript Object Notation for Linked Data, currently a W3C Recommendation
- JSON-RPC
- SOAPjr—a hybrid of SOAP and JR (JSON-RPC)
- JsonML
- Binary encodings for JSON
- Implementations:
- Jayrock—an open source implementation of JSON for the .NET Framework.
Notes
<templatestyles src="Reflist/styles.css" />
Cite error: Invalid <references>
tag; parameter "group" is allowed only.
<references />
, or <references group="..." />
References
<templatestyles src="Reflist/styles.css" />
Cite error: Invalid <references>
tag; parameter "group" is allowed only.
<references />
, or <references group="..." />
External links
- Format home page
- The JavaScript Object Notation (JSON) Data Interchange Format (RFC 7159)
- ECMA-404—The JSON Data Interchange Format
- CBOR—A binary encoding for JSON
- "Learn X in Y minutes" about JSON
Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Video: Douglas Crockford — The JSON Saga, on Yahoo! Developer Network. In the video Crockford states: "I do not claim to have invented JSON ... What I did was I found it, I named it, I described how it was useful. ... So, the idea's been around there for a while. What I did was I gave it a specification, and a little Web site."
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ ECMA 404 states: "Most programming languages will have some feature for representing such collections, which can go by names like record, struct, dict, map, hash, or object."
- ↑ RFC 7159 states: "The names within an object SHOULD be unique.", where the word "SHOULD", interpreted as per RFC 2119, means a recommendation.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ RFC 7159
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ 23.0 23.1 23.2 Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Douglas Crockford (July 2006). "IANA Considerations". The application/json Media Type for JavaScript Object Notation (JSON). IETF. sec. 6. RFC 4627. https://tools.ietf.org/html/rfc4627#section-6. Retrieved October 21, 2009.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ 49.0 49.1 Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
- ↑ Lua error in package.lua at line 80: module 'strict' not found.
Cite error: <ref>
tags exist for a group named "note", but no corresponding <references group="note"/>
tag was found, or a closing </ref>
is missing