Conversation

Wait I thought escape was going to mean something hideous like "\True" but no, this cursed format just doesn't require quoting strings at all. WTF is this trash and why would anyone prefer it over JSON (also bad but nowhere near this bad)?! twitter.com/sjmurdoch/stat

This Tweet is unavailable.

4

10

Replying to

By the way, the most popular implementations of YAML also dynamically execute arbitrary code based on the input. It's used because it looks elegant and user friendly on the surface. It's a lot more aimed at being worked with by humans than JSON and wasn't based around early JS.

1

1

Replying to

and

See pyyaml.org/wiki/PyYAMLDoc for an example. > Warning: It is not safe to call yaml.load with any data received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though. Great.

1

Replying to

and

It's similar to the origin of Markdown. It's a poorly designed and loosely specified syntax for marking up data rather than documents where they delegated complex stuff to the underlying system it targeted (HTML for Markdown and the object systems of Ruby, Python, etc. for YAML).

1

Replying to

and

At least Markdown has commonmark.org but it still depends heavily on extensions and/or HTML along with having some messed up syntax decisions. YAML is immensely complex and has the same issues with ambiguities, etc. without a coalition that came together to fix it up.

1

Replying to

I don't think the situations are comparable. Markdown is used and intended as a source document format for human composition of content intended for human consumption. YAML is used and intended as a serialization format for machine-processed data.

1

Replying to

YAML was more intended as a way for humans to mark up and read data. It's a serialization format, but it was a format explicitly meant for humans to use. I think it's actually harder for humans to work with it because of all the ambiguities, etc.

1

Replying to

and

It sounds like Apple basically has the YAML equivalent of SQL injection. It doesn't seem like they would hit that using a typical library for it. It's more like they're generating it in a template string. Part of the problem with it is deceptively simple syntax with ambiguities.

1

1

Replying to

and

toml.io/en/ is a popular alternative to the typical use cases for YAML that I see. This is what Rust uses for Cargo. A mandatory significant indentation version of TOML would be what nearly all real world users of YAML actually want rather than what they get from it.

1:27 AM · Mar 7, 2021Twitter Web App

Replying to

They renamed and made a formal spec for "INI file"? 😂

2

3

Replying to

and

sicccck burn

3