Nothing too major about how it’s usually used, but the yaml spec does allow arbitrary code execution when parsing a file and relies on the parser to have that feature disabled: https://en.m.wikipedia.org/wiki/YAML#Security
That’s why for python, yaml.save_load() is a thing. That’s fine for your local config files and may even be a feature for you, but it shouldn’t be used to exchange information between services.
My general view is similar, yaml is better if it should be written by humans, json is better if it should be written and read only by a machine. but hyprspace uses json for configuration, so I don’t really understand cellardoor’s comment
Nothing too major about how it’s usually used, but the yaml spec does allow arbitrary code execution when parsing a file and relies on the parser to have that feature disabled: https://en.m.wikipedia.org/wiki/YAML#Security
That’s why for python,
yaml.save_load()
is a thing. That’s fine for your local config files and may even be a feature for you, but it shouldn’t be used to exchange information between services.My general view is similar, yaml is better if it should be written by humans, json is better if it should be written and read only by a machine. but hyprspace uses json for configuration, so I don’t really understand cellardoor’s comment
Yeah I agree. Although recently I’ve become partial to toml… In the end I’ll use what’s common in the ecosystem I’m developing in
Xml has entered the chat
nit: you mean
yaml.safe_load()
.Oh yeah, of course.