Breaking change: New JsonSerializerDefaults.Web option leveraged by ASP.NET allows quoted numbers when deserializing JSON #21067
Comments
layomia
added
doc-idea
|
FYI - @tdykstra, @pranavkm, @terrajobst |
|
For the recommended action, could we exhibit what this would look like for MVC:
services.AddControllers()
.AddJsonOptions(options.NumberHandling = JsonNumberHandling.Strict);@tdykstra would this get listed under this: https://docs.microsoft.com/en-us/dotnet/core/compatibility/3.1-5.0? It's the one ASP.NET Core's migration notes links. |
|
Yes, that's the right place for it. And the quoted numbers section of the Newtonsoft migration doc would mention this and link to the 3.1-5.0 doc as well. |
@layomia, please add a clarification that this is not the new behavior for the default stand-alone |
|
@tdykstra Do you have any interest in documenting the serialization breaking changes? |
|
I'm interested in reviewing them to make sure I'm aware of changes that affect the STJ docs. If we get a bunch of them and you'd like some assistance I can help out. I'd need a crash course in how to document breaking changes. 😄 |
|
@gewarren @tdykstra FWIW I believe this is the last System.Text.Json breaking change to be documented. |
|
For anyone wondering how to (quickly) patch the problem this issue creates when transitioning from .net core 2.0+ to .net core 3.0+... You can use the old newtonsoft json serializer by adding |
|
What problem exactly would that workaround be for, @seanbecker15, that would require adding back newtonsoft?
services.AddControllers()
.AddJsonOptions(options.NumberHandling = JsonNumberHandling.Strict); |
|
@ahsonkhan My apologies for the confusion — I was referring to a few problems caused by migrating from .net core 2.0+ to 3.0+ that this issue happens to address. For context, here are the problems I ran into when upgrading:
E: If you’d like me to reword that let me know and I’d be happy to do so. |
That shouldn't happen. Please file an issue in https://github.com/dotnet/runtime with your aspnet details, .net version and provide a minimal repro of your application, C# object model, and example JSON you are deserializing, and someone there will take a look and help you.
That is expected since This migration guide should be useful: For anything else, please file new issues in https://github.com/dotnet/runtime so the conversation is in the right place :) |
Breaking change: New JsonSerializerDefaults.Web option leveraged by ASP.NET allows quoted numbers when deserializing JSON
In 5.0, we introduced a
JsonSerializerDefaultsenum along with a constructor onJsonSerializerOptionsthat takes this enum (dotnet/runtime#34626). This allows the creation of aJsonSerializerOptionsinstance with predetermined options, depending on the scenario.JsonSerializerDefaults.Webspecifies the following options:PropertyNamingPolicy=JsonNamingPolicy.CamelCasePropertyNameCaseInsensitive=trueNumberHandling=JsonNumberHandling.AllowReadingFromStringThe number handling feature is new in .NET 5 (dotnet/runtime#30255) and allows custom number handling, including allowing the serializer to read quoted numbers (i.e JSON strings), rather than throw
JsonException. WithJsonSerializerDefaults.Web, the serializer is permitted to read strings as numbers.In 3.x, the default
JsonSerializerOptionsused by ASP.NET Core specified the camel case naming policy, and allowed case-insensitive property naming matching, but per the serializer's capabilities in 3.x, reading JSON strings as numbers was not allowed. In 5.0, ASP.NET has adopted the newJsonSerializerDefaults.Webas the default (de)serialization options. This means that all ASP.NET applications by default will now allow reading JSON strings as numbers.Note that the new JSON extension methods on
HttpClientandHttpContentexposed bySystem.Net.Http.Json(dotnet/runtime#32937) also use the newJsonSerializerDefaults.Weboptions.Version introduced
5.0
Old behavior
Quoted numbers in JSON payloads which were to map with number properties in object graphs on deserialization would cause
JsonExceptionto be thrown.New behavior
Quoted numbers in JSON payloads which are to map with number properties in object graphs on deserialization are valid.
This is not the new behavior for the default stand-alone
JsonSerializerorJsonSerializerOptions, but rather it is the default behavior specifically within ASP.NET Core apps, theSystem.Net.Http.Jsonpackage, or when the user opts-in and chooses theJsonSerializerDefaults.Weboption.This behavior is making a scenario more permissive, specifically going from throwing
JsonExceptionto successfully coercing a number from a JSON string. This is technically not a breaking change. However, since this will affect many ASP.NET Core apps, it is a significant behavioral change which should be advertised.Reason for change
User feedback and requests for opt-in, more permissive number handling in
JsonSerializer(dotnet/runtime#30255) indicated that many JSON producers (e.g. services across the web) emit quoted numbers. Allowing reading quoted numbers helps .NET applications successfully parse these payloads by default in web contexts. This API is exposed viaJsonSerializerDefaults.Webso that there is a handy way to specify the same options across different application layers e.g. client, server, shared. More detail here - dotnet/runtime#42240 (comment).Recommended action
If this change is disruptive, e.g. the strict/default number handling in
JsonSerializeris depended upon for validation, the previous behavior can be reenabled by setting theJsonSerializeOptions.NumberHandlingoption used by the application toJsonNumberHandling.Strict.For ASP.NET Core MVC and web API applications, this can be configured in
Startupusing the following snippet:Category
Affected APIs
JsonSerializer.DeserializeJsonSerializer.DeserializeAsyncIssue metadata
The text was updated successfully, but these errors were encountered: