clojure.edn versus clojure.tools.reader.edn
324 views
Skip to first unread message
Aaron Cummings
Nov 28, 2017, 10:51:45 AM11/28/17
to clo...@googlegroups.com
I have a case where I'm reading a Clojure data structure serialized to
edn, but I don't have complete trust in the soure.
Clearly I want to avoid clojure.core/read-string. The
cheatsheet at https://clojure.org/api/cheatsheet hints that
clojure.tools.reader.edn/read-string is a good choice, but I also see
clojure.edn/read-string.
Are both of these edn readers considered equally safe on untrusted
input? What tradeoffs are there for one versus the other?
Thanks,
Aaron
edn, but I don't have complete trust in the soure.
Clearly I want to avoid clojure.core/read-string. The
cheatsheet at https://clojure.org/api/cheatsheet hints that
clojure.tools.reader.edn/read-string is a good choice, but I also see
clojure.edn/read-string.
Are both of these edn readers considered equally safe on untrusted
input? What tradeoffs are there for one versus the other?
Thanks,
Aaron
Alex Miller
Nov 28, 2017, 4:14:51 PM11/28/17
to Clojure
Presuming you're in Clojure, just use clojure.edn. clojure.edn is written in Java and targets the edn subset of Clojure's syntax. Presuming you're reading typical edn data, this is the best answer.
clojure.tools.reader is a version of the Clojure reader (not the edn subset) written in Clojure (the biggest user of this is ClojureScript).
Aaron Cummings
Nov 28, 2017, 4:36:23 PM11/28/17
to clo...@googlegroups.com
Thanks Alex. This makes sense.
It did occur to the the recommendation in the cheatsheet might be
aimed at ClojureScript compatibility. Since I'm in JVM Clojure only
for this project I'll switch over to clojure.edn.
-Aaron
It did occur to the the recommendation in the cheatsheet might be
aimed at ClojureScript compatibility. Since I'm in JVM Clojure only
for this project I'll switch over to clojure.edn.
-Aaron
Alex Miller
Nov 28, 2017, 4:42:48 PM11/28/17
to Clojure
To a large degree Clojure and ClojureScript should be the same from a reader compatibility point of view.
Andy Fingerhut
Nov 28, 2017, 5:40:04 PM11/28/17
to clo...@googlegroups.com
I am pretty sure that clojure.tools.reader.edn is a version of the Clojure reader specifically for the edn subset, hence the name of the namespace.
That said, no need to add a separate dependency on clojure.tools.reader if you would prefer to avoid it, and you are reading EDN inside Clojure on the JVM.
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clo...@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages