JSON.stringify() has been "improved"

# Anders Rundgren (4 years ago)


I have co-authored a JSON canonicalization scheme, recently published as an RFC: www.rfc-editor.org/rfc/rfc8785.html

The work started with ES V6 as foundation since it made things really easy.

Serialization of quoted strings where taken "as is" from: www.ecma-international.org/ecma-262/6.0/index.html#sec-quotejsonstring

However, to my dismay it seems that this has changed in more recent ES editions: www.ecma-international.org/ecma-262/10.0/index.html#sec-quotejsonstring

That is, in V6 a smiley was serialized as any other UTF code point. In V10 a smiley is (AFAICT...) supposed to be serialized like \ud83d\ude00 which of course breaks canonicalization :(

Q: What was the motivation for this change?

Q: How come Chrome, Edge, and Firefox do not honor this update? Verification: cyberphone.github.io/doc/security/browser-json-canonicalization.html

Q: Does any other JSON serializer actually do this kind of transformation?

thanx, Anders

# Anders Rundgren (4 years ago)

Fortunately my analysis was wrong, all systems are go!

The revised serialization deals with pathological UTF which RFC 8785 anyway outlaws.