JavaScript Object Notation

For similarly-named people, see J Son (disambiguation).
JSON
Filename extension .json
Internet media type application/json
Uniform Type Identifier public.json
Type of format Data interchange
Extended from JavaScript
Standard(s) RFC 4627, ECMA-404
Website

JSON (/ˈsɒn/ , /ˈsən/ ), or JavaScript Object Notation, is an open standard format that uses human-readable text to transmit data objects consisting of key:value pairs. It is used primarily to transmit data between a server and web application, as an alternative to XML.

Although originally derived from the JavaScript scripting language, JSON is a language-independent data format, and code for parsing and generating JSON data is readily available in a large variety of programming languages.

The JSON format was originally specified by Douglas Crockford, and is described in RFC 4627 and ECMA-404. The official Internet media type for JSON is application/json. The JSON filename extension is .json.

History

Douglas Crockford was the first to specify and popularize the JSON format.[1] The economic justification that led to the discovery of JSON grew out of a perceived market need for stateful, real-time server to browser communication without using browser plugins such as Flash or Java applets which were the dominant design at the time.

JSON was used at State Software Inc., a company co-founded by Douglas Crockford and Robert F. Napiltonia, starting in April 2001, and funded by Tesla Ventures. When State was founded in early 2001 by six former employees of Communities.com, they agreed to build a system that used standard browser capabilities and provided an abstraction layer for Web developers to create stateful Web applications that had a persistent duplex connection to a Web server by holding the two HTTP connections open and recycling them before standard browser time-outs if no further data were exchanged. The idea for the State Application Framework was developed by Chip Morningstar at State Software.[2][3] It was used in a project at Communities.com for Cartoon Network, which used a plug-in with a proprietary messaging format to manipulate

Although JSON was originally based on a non-strict subset of the libraries, organized by language.

Data types, syntax and example

JSON's basic types are:

  • Number (double-precision floating-point format in JavaScript, generally depends on implementation)
  • String (double-quoted Unicode, with backslash escaping)
  • Boolean (true or false)
  • Array (an ordered sequence of values, comma-separated and enclosed in square brackets; the values do not need to be of the same type)
  • Object (an unordered collection of key:value pairs with the ':' character separating the key and the value, comma-separated and enclosed in curly braces; the keys must be strings and should be distinct from each other)
  • null (empty)

Non-significant white space may be added freely around the "structural characters" (i.e. brackets "{ } [ ]", colons ":" and commas ",").

The following example shows the JSON representation of an object that describes a person. The object has string fields for first name and last name, a number field for age, an object representing the person's address and an array of phone number objects.

{
    "firstName": "John",
    "lastName": "Smith",
    "age": 25,
    "address": {
        "streetAddress": "21 2nd Street",
        "city": "New York",
        "state": "NY",
        "postalCode": 10021
    },
    "phoneNumbers": [
        {
            "type": "home",
            "number": "212 555-1234"
        },
        {
            "type": "fax",
            "number": "646 555-4567"
        }
    ]
}

One potential pitfall of the free-form nature of JSON comes from the ability to write numbers as either numeric literals or quoted strings. For example, ZIP Codes in the northeastern U.S. begin with zeroes (for example, 07728 for Freehold, New Jersey). If written with quotes by one programmer but not by another, the leading zero could be dropped when exchanged between systems, when searched for within the same system, or when printed. In addition, postal codes in the U.S. are numbers but other countries use letters as well. This is a type of problem that the use of a JSON Schema (see below) is intended to reduce.

A JSON parser library or Javascript's native JSON support should be used for reading and writing JSON. A correctly implemented JSON parser accepts only valid JSON, preventing potentially malicious code from being executed inadvertently.

 var p = JSON.parse(contact);

Web browsers, such as Firefox and Internet Explorer, have, since 2010, included support for parsing JSON. As native browser support is more efficient and secure than eval(), native JSON support is included in Edition 5 of the ECMAScript standard.[7]

The jQuery library wraps a JSON object in a function constructor and executes it immediately if JSON.parse is not present. This avoids using eval in the code.

 var p = new Function('return ' + contact + ';')();

Despite the widespread belief that JSON is a JavaScript subset, this is not the case. Specifically, JSON allows the Unicode line terminators U+2028 line separator and U+2029 paragraph separator to appear unescaped in quoted strings, while JavaScript does not.[8] This is a consequence of JSON disallowing only "control characters". This subtlety is important when generating JSONP.

Unsupported native data types

JavaScript syntax defines several native data types that are not included in the JSON standard:[9] Date, Error, Regular Expression, and Function. These JavaScript data types must be represented as some other data format, with the programs on both ends agreeing on how to convert between the types. As of 2011, there are some de facto standards for e.g. converting between Date and String, but none universally recognized.[10][11] Other languages may have a different set of native types that must be serialized carefully to deal with this type of conversion.

Schema and Metadata

JSON Schema

JSON Schema[12] specifies a JSON-based format to define the structure of JSON data for validation, documentation, and interaction control. A JSON Schema provides a contract for the JSON data required by a given application, and how that data can be modified. JSON Schema is based on the concepts from XML Schema, RelaxNG, and Kwalify, but is JSON-based, so that JSON data in the form of a schema can be used to validate JSON data, the same serialization/deserialization tools can be used for the schema and data, and it is self-describing.

JSON Schema is an Internet Draft, currently version 4.[13] There are several validators available for different programming languages,[14] each with varying levels of conformance.

Example JSON Schema:

{
    "name": "Product",
    "properties": {
        "id": {
            "type": "number",
            "description": "Product identifier",
            "required": true
        },
        "name": {
            "type": "string",
            "description": "Name of the product",
            "required": true
        },
        "price": {
            "type": "number",
            "minimum": 0,
            "required": true
        },
        "tags": {
            "type": "array",
            "items": {
                "type": "string"
            }
        },
        "stock": {
            "type": "object",
            "properties": {
                "warehouse": {
                    "type": "number"
                },
                "retail": {
                    "type": "number"
                }
            }
        }
    }
}

The JSON Schema above can be used to test the validity of the JSON code below:

{
    "id": 1,
    "name": "Foo",
    "price": 123,
    "tags": [ "Bar", "Eek" ],
    "stock": {
        "warehouse": 300,
        "retail": 20
    }
}

MIME type

The official MIME type for JSON text is "application/json".[15] Although most modern implementations have adopted the official MIME type, many applications continue to provide legacy support for other MIME types. Many service providers, browsers, servers, web applications, libraries, frameworks, and APIs use, expect, or recognize the (unofficial) MIME type "text/json" or the content-type "text/javascript". Notable examples include the Google Search API,[16] Yahoo!,[16][17] Flickr,[16] Facebook API,[18] Lift framework,[19] Dojo Toolkit 0.4,[20] etc.

JSON-RPC

JSON-RPC is an RPC protocol built on JSON, as a replacement for XML-RPC or SOAP. It is a simple protocol that defines only a handful of data types and commands. JSON-RPC allows for notifications (information sent to the server that do not require a response) and for multiple calls to be sent to the server that may be answered out of order. Example of a JSON-RPC 2.0 request and response using positional parameters.

--> {"jsonrpc": "2.0", "method": "subtract", "params": [42, 23], "id": 1}
<-- {"jsonrpc": "2.0", "result": 19, "id": 1}

Use in Ajax

JSON is often used in Ajax techniques. Ajax is a term for the ability of a webpage to request new data after it has loaded into the web browser, usually in response to user actions on the displayed webpage. As part of the Ajax model, the new data is usually incorporated into the user interface display dynamically as it arrives back from the server. An example of this in practice might be that while the user is typing into a search box, client-side code sends what they have typed so far to a server that responds with a list of possible complete search terms from its database. These may be displayed in a drop-down list beneath the search, so that the user may stop typing and select a complete and commonly used search string directly. When it was originally described in the mid-2000s, Ajax commonly used XML as the data interchange format but many developers have also used JSON to pass Ajax updates between the server and the client.[21]

The following JavaScript code is one example of a client using XMLHttpRequest to request data in JSON format from a server. (The server-side programming is omitted; it must be set up to respond to requests at url with a JSON-formatted string.)

var my_JSON_object;
var http_request = new XMLHttpRequest();
http_request.open("GET", url, true);
http_request.onreadystatechange = function () {
    var done = 4, ok = 200;
    if (http_request.readyState == done && http_request.status == ok) {
        my_JSON_object = JSON.parse('''http_request.responseText''');
    }
};
http_request.send(null);

Security issues

Although JSON is intended as a data serialization format, its design as a non-strict subset of the JavaScript scripting language poses several security concerns. These concerns center on the use of a JavaScript interpreter to execute JSON text dynamically as JavaScript, thus exposing a program to errant or malicious script contained therein—often a chief concern when dealing with data retrieved from the Internet. While not the only way to process JSON, it is an easy and popular technique, stemming from JSON's compatibility with JavaScript's eval() function, and illustrated by the following code examples.

JavaScript eval()

Because most JSON-formatted text is also syntactically legal JavaScript code, an easy way for a JavaScript program to parse JSON-formatted data is to use the built-in JavaScript eval() function, which was designed to evaluate JavaScript expressions. Rather than using a JSON-specific parser, the JavaScript interpreter itself is used to execute the JSON data to produce native JavaScript objects. However, there are some Unicode characters that are valid in JSON strings but invalid in JavaScript, so additional escaping may be needed in some cases, before using a JavaScript interpreter.[22]

Unless precautions are taken to validate the data first, the eval technique is subject to security vulnerabilities if the data and the entire JavaScript environment are not within the control of a single trusted source. For example, if the data is itself not trusted, it may be subject to malicious JavaScript code injection attacks. Also, such breaches of trust may create vulnerabilities for data theft, authentication forgery, and other potential misuse of data and resources. Regular expressions can be used to validate the data prior to invoking eval(). For example, the RFC that defines JSON (RFC 4627) suggests using the following code to validate JSON before evaluating it (the variable 'text' is the input JSON):[23]

var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
    text.replace(/"(\\.|[^"\\])*"/g, ''))) && eval('(' + text + ')');

A new function, JSON.parse(), was developed as a safer alternative to eval. It is specifically intended to process JSON data and not JavaScript. It was originally planned for inclusion in the Fourth Edition of the ECMAScript standard,[24] but this did not occur. It was first added to the Fifth Edition,[25] and is now supported by the major browsers given below. For older ones, a compatible JavaScript library is available at JSON.org.

Native encoding and decoding in browsers

Recent Web browsers now either have or are working on native JSON encoding/decoding. Not only does this eliminate the eval() security problem above, but also increases performance due to the fact that functions must no longer be parsed. Native JSON is generally faster compared to the JavaScript libraries commonly used before. As of June 2009 the following browsers have or will have native JSON support, via JSON.parse() and JSON.stringify():

At least five popular JavaScript libraries have committed to use native JSON, if available:

The default character encoding for JSON is UTF8; it also supports UTF16 and UTF32.

Object references

The JSON standard does not support object references, but the Dojo Toolkit illustrates how conventions can be adopted to support such references using standard JSON. Specifically, the Alternatively, non-standard solutions exist such as the use of Mozilla JavaScript Sharp Variables, although this functionality has been removed in Firefox version 12.[37]

Comparison with other formats

JSON is promoted as a low-overhead alternative to XML as both of these formats have widespread support for creation, reading and decoding in the real-world situations where they are commonly used.[38] Apart from XML, examples could include OGDL, YAML and CSV. Also, Google Protocol Buffers can fill this role, although it is not a data interchange language.

YAML

YAML is almost, but not entirely, a superset of JSON. For example, escaping a slash (/) with a backslash (\) is valid JSON, but not valid YAML. (This is common practice when injecting JSON into HTML to protect against cross site scripting attacks.) Nonetheless, many YAML parsers can natively parse the output from many JSON encoders.[39]

XML

XML has been used to describe structured data and to serialize objects. Various XML-based protocols exist to represent the same kind of data structures as JSON for the same kind of data interchange purposes. When data is encoded in XML, the result is typically larger than an equivalent encoding in JSON, mainly because of XML's closing tags. Yet, if the data is compressed using an algorithm like gzip there is little difference because compression is good at saving space when a pattern is repeated.

When used without an XML schema, XML values don't have a specific data type.

Examples

JSON example

{
    "firstName": "John",
    "lastName": "Smith",
    "age": 25,
    "address": {
        "streetAddress": "21 2nd Street",
        "city": "New York",
        "state": "NY",
        "postalCode": "10021"
    },
    "phoneNumber": [
        {
            "type": "home",
            "number": "212 555-1234"
        },
        {
            "type": "fax",
            "number": "646 555-4567"
        }
    ]
}

Both of the following examples carry the same kind of information as the JSON example above in different ways.

YAML example

The above JSON code is also 100% valid YAML; however, YAML also offers an alternative syntax intended to be more human accessible by replacing nested delimiters like {}, [], and " marks with structured white space indents.[39]

---
  firstName:  John
  lastName:  Smith
  age: 25
  address: 
        streetAddress: 21 2nd Street
        city: New York
        state: NY
        postalCode: 10021
 
  phoneNumber: 
        -  
            type: home
            number: 212 555-1234
        -  
            type: fax
            number: 646 555-4567

XML examples


  John
  Smith
  25
  
21 2nd Street New York NY 10021
212 555-1234 646 555-4567
25">
  
21 2nd Street" city="New York" state="NY" postalCode="10021" /> 212 555-1234"/> 646 555-4567"/>

The XML encoding may therefore be comparable in length to the equivalent JSON encoding. A wide range of XML processing technologies exist, from the Document Object Model to XPath and XSLT. XML can also be styled for immediate display using CSS. XHTML is a form of XML so that elements can be passed in this form ready for direct insertion into webpages using client-side scripting.

See also

  • S-expression - the comparable LISP format for trees as text.
  • JSONP – JSON with Padding, a pattern of usage commonly employed when retrieving JSON across domains
  • BSON – binary JSON
  • GeoJSON - an open format for encoding a variety of geographic data structures
  • JSON-LD - JavaScript Object Notation for Linked Data, currently a W3C Working Draft
  • JSON-RPC
  • SOAPjr – a hybrid of SOAP and JR (JSON-RPC)
  • JsonML
  • Jayrock - an open source implementation of JSON for the .NET Framework

References

External links

  • JSON.com
  • Format home page
  • RFC 4627 - The application/json Media Type for JavaScript Object Notation (JSON)
  • JSON-Introduction By Microsoft
  • Improvements to JSON
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.