Simon Willison's Weblog: validation

minixsv

2009-08-12T16:59:57+00:00

As far as I can tell, this is the only library that can validate XML using pure Python (no C extension required). I’d be extremely happy if someone would write a pure Python library (or one that only depends on ElementTree, which is included in the standard library) for validating XML against a Relax NG Compact syntax schema. Even DTD validation would be better than nothing!

Via Stack Overflow

Tags: elementtree, minixsv, python, relaxng, validation, xml, xmlschema

Evil GIFs: Partial Same Origin Bypass with Hybrid Files

2008-07-01T08:58:45+00:00

Evil GIFs: Partial Same Origin Bypass with Hybrid Files

First there were PNGs that had crossdomain.xml files embedded in them, now there are GIFs that contain Java applets (as JAR files). At this point I’d say don’t even bother trying to validate uploaded files, just make sure they’re served off an entirely different domain instead where XSS doesn’t matter.

Tags: applets, crossdomainxml, gifs, javaapplets, pngs, security, uploads, validation, xss

Quoting Mark Pilgrim

2008-03-10T14:01:28+00:00

For the record, my site is valid HTML 5, except the parts that aren't. My therapist says I shouldn't rely so much on external validation.

— Mark Pilgrim

Tags: html5, mark-pilgrim, standards, validation

JavaScript: It's Just Not Validation!

2008-01-01T12:07:30+00:00

JavaScript: It's Just Not Validation!

I like the explanation of JavaScript as offering input assistance rather than validation.

Tags: inputassistance, javascript, sitepoint, validation

jQuery plugin: Validation

2007-06-30T22:26:07+00:00

jQuery plugin: Validation

Pretty clever way of attacking the client-side form validation problem; supports both configuration object literals and custom attributes on the form fields themselves.

Tags: javascript, jquery, plugins, validation

Keep your JSON valid

2006-10-11T14:44:03+00:00

I'm a big fan of JSON, and it's great to see it turning up as an output option for so many Web APIs. Unfortunately, many of these APIs are getting the details slightly wrong and in doing so are producing invalid JSON.

JSON isn't just the object-literal syntax of JavaScript; it's a very tightly defined subset of that syntax. The site has a spec (illustrated with pretty state machine diagrams) and there's an RFC as well.

By far the most common error I've encountered relates to object keys. In JSON (unlike in JavaScript) these MUST be double-quoted strings. In fact, ALL strings in JSON must be enclosed in double quotes (JavaScript also allows single quotes; JSON does not).

Valid:

{ "name": "Simon" }

Invalid:

{ name: "Simon" }
{ 'name': "Simon" }
{ "name": 'Simon' }

It's worth reviewing the other key differences between JSON and JavaScript. Remember, all valid JSON is valid JavaScript but the opposite is not true; JSON is a subset.

This stuff matters. Python's excellent simplejson module is a strict parser; it refuses to consume invalid JSON. If you're building a JSON API it's worth taking the time to ensure you are valid - I suggest installing Python and simplejson and trying the following:

$ python
Python 2.5 (r25:51918, Sep 19 2006, 08:49:13) 
[GCC 4.0.1 (Apple Computer, Inc. build 5341)] on darwin
>>> import urllib, simplejson
>>> url = "http://your-api.org/your-api/json"
>>> simplejson.load(urllib.urlopen(url))

Try it against a few JSON supporting sites. You might be surprised at the amount of invalid JSON out there.

As with outputting XML, the best way to avoid these problems is to use a pre-existing JSON generation library rather than rolling your own. I've had good experiences with simplejson for Python and php-json for PHP.

Tags: json, validation