diff --git a/docs/core/compatibility/3.1-5.0.md b/docs/core/compatibility/3.1-5.0.md index 3b2678934f25c..f127a6e41b008 100644 --- a/docs/core/compatibility/3.1-5.0.md +++ b/docs/core/compatibility/3.1-5.0.md @@ -9,6 +9,7 @@ If you're migrating from version 3.1 of .NET Core, ASP.NET Core, or EF Core to v ## ASP.NET Core +- [ASP.NET Core apps allow deserializing quoted numbers](#aspnet-core-apps-allow-deserializing-quoted-numbers) - [Authentication: AzureAD.UI and AzureADB2C.UI APIs and packages marked obsolete](#authentication-azureadui-and-azureadb2cui-apis-and-packages-marked-obsolete) - [Authorization: Resource in endpoint routing is HttpContext](#authorization-resource-in-endpoint-routing-is-httpcontext) - [Azure: Microsoft-prefixed Azure integration packages removed](#azure-microsoft-prefixed-azure-integration-packages-removed) @@ -40,6 +41,10 @@ If you're migrating from version 3.1 of .NET Core, ASP.NET Core, or EF Core to v - [SignalR: UseSignalR and UseConnections methods removed](#signalr-usesignalr-and-useconnections-methods-removed) - [Static files: CSV content type changed to standards-compliant](#static-files-csv-content-type-changed-to-standards-compliant) +[!INCLUDE [ASP.NET Core apps allow deserializing quoted numbers](../../../includes/core-changes/serialization/5.0/jsonserializer-allows-reading-numbers-as-strings.md)] + +*** + [!INCLUDE[Authentication: AzureAD.UI and AzureADB2C.UI APIs and packages marked obsolete](~/includes/core-changes/aspnetcore/5.0/authentication-aad-packages-obsolete.md)] *** @@ -418,12 +423,17 @@ If you're migrating from version 3.1 of .NET Core, ASP.NET Core, or EF Core to v ## Serialization +- [ASP.NET Core apps allow deserializing quoted numbers](#aspnet-core-apps-allow-deserializing-quoted-numbers) - [PropertyNamingPolicy, PropertyNameCaseInsensitive, and Encoder options are honored when serializing and deserializing key-value pairs](#propertynamingpolicy-propertynamecaseinsensitive-and-encoder-options-are-honored-when-serializing-and-deserializing-key-value-pairs) - [Non-public, parameterless constructors not used for deserialization](#non-public-parameterless-constructors-not-used-for-deserialization) - [JsonSerializer.Serialize throws ArgumentNullException when type parameter is null](#jsonserializerserialize-throws-argumentnullexception-when-type-parameter-is-null) - [JsonSerializer.Deserialize requires single-character string](#jsonserializerdeserialize-requires-single-character-string) - [BinaryFormatter.Deserialize rewraps some exceptions in SerializationException](#binaryformatterdeserialize-rewraps-some-exceptions-in-serializationexception) +[!INCLUDE [jsonserializer-allows-reading-numbers-as-strings](../../../includes/core-changes/serialization/5.0/jsonserializer-allows-reading-numbers-as-strings.md)] + +*** + [!INCLUDE [options-honored-when-serializing-key-value-pairs](../../../includes/core-changes/serialization/5.0/options-honored-when-serializing-key-value-pairs.md)] *** diff --git a/docs/core/compatibility/serialization.md b/docs/core/compatibility/serialization.md index d9b595038b4dd..b49262f12bb77 100644 --- a/docs/core/compatibility/serialization.md +++ b/docs/core/compatibility/serialization.md @@ -9,6 +9,7 @@ The following breaking changes are documented on this page: | Breaking change | Introduced version | | - | - | +| [ASP.NET Core apps allow deserializing quoted numbers](#aspnet-core-apps-allow-deserializing-quoted-numbers) | 5.0 | | [PropertyNamingPolicy, PropertyNameCaseInsensitive, and Encoder options are honored when serializing and deserializing key-value pairs](#propertynamingpolicy-propertynamecaseinsensitive-and-encoder-options-are-honored-when-serializing-and-deserializing-key-value-pairs) | 5.0 | | [Non-public, parameterless constructors not used for deserialization](#non-public-parameterless-constructors-not-used-for-deserialization) | 5.0 | | [JsonSerializer.Serialize throws ArgumentNullException when type parameter is null](#jsonserializerserialize-throws-argumentnullexception-when-type-parameter-is-null) | 5.0 | @@ -17,6 +18,10 @@ The following breaking changes are documented on this page: ## .NET 5.0 +[!INCLUDE [jsonserializer-allows-reading-numbers-as-strings](../../../includes/core-changes/serialization/5.0/jsonserializer-allows-reading-numbers-as-strings.md)] + +*** + [!INCLUDE [options-honored-when-serializing-key-value-pairs](../../../includes/core-changes/serialization/5.0/options-honored-when-serializing-key-value-pairs.md)] *** diff --git a/includes/core-changes/serialization/5.0/jsonserializer-allows-reading-numbers-as-strings.md b/includes/core-changes/serialization/5.0/jsonserializer-allows-reading-numbers-as-strings.md new file mode 100644 index 0000000000000..9c159ceb5466d --- /dev/null +++ b/includes/core-changes/serialization/5.0/jsonserializer-allows-reading-numbers-as-strings.md @@ -0,0 +1,53 @@ +### ASP.NET Core apps allow deserializing quoted numbers + +Starting in .NET 5.0, ASP.NET Core apps use the default deserialization options as specified by . The set of options includes setting to . This change means that ASP.NET Core apps will successfully deserialize numbers that are represented as JSON strings, instead of throwing an exception. + +#### Change description + +In .NET Core 3.0 - 3.1, throws a during deserialization if it encounters a quoted number in a JSON payload. The quoted numbers are used to map with number properties in object graphs. In .NET Core 3.0 - 3.1, numbers are only read from tokens. + +Starting in .NET 5.0, quoted numbers in JSON payloads are considered valid, by default, for ASP.NET Core apps. No exception is thrown during deserialization of quoted numbers. + +> [!TIP] +> +> - There is no behavior change for the default, standalone or . +> - This is technically not a breaking change, since it makes a scenario more permissive instead of more restrictive (that is, it succeeds in coercing a number from a JSON string instead of throwing an exception). However, since this is a significant behavioral change that affects many ASP.NET Core apps, it is documented here. +> - The and extension methods also use the set of serialization options. + +#### Version introduced + +5.0 + +#### Reason for change + +Multiple users have requested an option for more permissive number handling in . This feedback indicates that many JSON producers (for example, services across the web) emit quoted numbers. By allowing quoted numbers to be read (deserialized), .NET apps can successfully parse these payloads, by default, in web contexts. The configuration is exposed via so that you can specify the same options across different application layers, for example, client, server, and shared. + +#### Recommended action + +If this change is disruptive, for example, if you depend on the strict number handling for validation, you can re-enable the previous behavior. Set the option to . + +For ASP.NET Core MVC and web API apps, you can configure the option in `Startup` by using the following code: + +```csharp +services.AddControllers() + .AddJsonOptions(options.NumberHandling = JsonNumberHandling.Strict); +``` + +#### Category + +- ASP.NET Core +- Serialization + +#### Affected APIs + +- +- + +