Use safe mode and null base by default in canonize.

digitalbazaar · Aug 23, 2022 · 0229176 · 0229176
1 parent 6f9c6fe
commit 0229176
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # jsonld ChangeLog
 
+## 8.0.0 - 2022-08-xx
+
+### Changed
+- **BREAKING**: By default, set safe mode to `true` and `base` to
+  `null` in `canonize`.
+
 ## 7.0.0 - 2022-08-16
 
 ### Fixed

diff --git a/lib/jsonld.js b/lib/jsonld.js
@@ -524,12 +524,18 @@ jsonld.link = async function(input, ctx, options) {
  * unless the 'inputFormat' option is used. The output is an RDF dataset
  * unless the 'format' option is used.
  *
+ * Note: Canonicalization sets `safe` to `true` and `base` to `null` by
+ * default in order to produce safe outputs and "fail closed" by default. This
+ * is different from the other API transformations in this version which
+ * allow unsafe defaults (for cryptographic usage) in order to comply with the
+ * JSON-LD 1.1 specification.
+ *
  * @param input the input to normalize as JSON-LD or as a format specified by
  *          the 'inputFormat' option.
  * @param [options] the options to use:
  *          [algorithm] the normalization algorithm to use, `URDNA2015` or
  *            `URGNA2012` (default: `URDNA2015`).
- *          [base] the base IRI to use.
+ *          [base] the base IRI to use (default: `null`).
  *          [expandContext] a context to expand with.
  *          [skipExpansion] true to assume the input is expanded and skip
  *            expansion, false not to, defaults to false.
@@ -539,7 +545,7 @@ jsonld.link = async function(input, ctx, options) {
  *            'application/n-quads' for N-Quads.
  *          [documentLoader(url, options)] the document loader.
  *          [useNative] true to use a native canonize algorithm
- *          [safe] true to use safe mode. (default: false)
+ *          [safe] true to use safe mode. (default: true).
  *          [contextResolver] internal use only.
  *
  * @return a Promise that resolves to the normalized output.
@@ -551,9 +557,10 @@ jsonld.normalize = jsonld.canonize = async function(input, options) {
 
   // set default options
   options = _setDefaults(options, {
-    base: _isString(input) ? input : '',
+    base: _isString(input) ? input : null,
     algorithm: 'URDNA2015',
     skipExpansion: false,
+    safe: true,
     contextResolver: new ContextResolver(
       {sharedCache: _resolvedContextCache})
   });