XML vs. JSON: A Security Perspective (Independent Security Evaluators)


XML and JSON are both universal formats for arbitrary data sharing between computer architectures and programs, but there are a number of differences between them. These differences have motivated blog posts and other documents on the internet comparing the two, and a compilation of even a couple of these resources would cover most of their functional advantages and disadvantages.

However, in my research I haven’t seen a comprehensive comparison of the two standards that addresses the security considerations of using one or the other, and these are important for any developer trying to minimize a web API’s attack surface. Hence, the purpose of this blog is to gather this information into one place so XML or JSON developers can understand the functional reasons to choose one over the other, in addition to the security precautions that they should take with either choice.