safeloading

Safe loading, sometimes written safeloading, denotes practices for loading data or modules from potentially untrusted sources in a way that prevents security breaches such as remote code execution, data exfiltration, or object injection. The concept applies across data formats, configuration systems, and plugin architectures, where unchecked loading can trigger side effects or instantiate attacker-controlled code.

In YAML processing, a common concern is that a loader could instantiate arbitrary objects or execute constructors

In JSON, the data model is typically data-only, so standard loaders are generally safe by default. Nonetheless,

Best practices for safeloading include validating input with a schema, using allowlists for permissible structures, running