From: Peter Murphy <peterkmurphy@gm...> - 2014-08-10 09:21:33
PyCon Australia 2014 was held in Brisbane about a week ago. (It was
held at the Brisbane exhibition centre - literally walking distance
from my home). One talk of possible interest to this list[*] was
"Serialization formats aren't toys" by Tom Eastman.
"Do you accept input from users? Do you accept it in XML? What about
YAML? Or maybe JSON? How safe are you? Are you sure?"
The talk is about 30 minutes long, and can be viewed here:
The YAML part (which is mostly about the dangers of
"python/object/apply" tags) is from 6:48 to 13:30; the JSON part is
from 23:07 to the end. However, I suggest everybody have a watch of
the whole thing. The "Billion Laughs Attack" is an XML thing, but
still nice to know about. ;-)
[*] PS: Which list is current YAML list? yaml-core@... or
yaml-core@...? I sent this message to both, just in