[nickpsecurity]

Since your app will only look at certain values in the JSON, you can simply ignore all the other values, and dump the values in an object/struct of your choosing. It wouldn't even be all that hard to write, provided you know how to write a parser..."

That's what I was thinking. Never seen verified parsers or generators requiring these things. So I figured it was an unnecessary requirement bringing in its own security issue.

[vidarh]

A large part of the problem is that people want to be able to "just" de-serialize a chunk of JSON into a suitable generic structure they can then "just" de-reference as a suitable tree of dictionaries and arrays. It'd be fantastic to see easier-to-use patterns to discourage resorting to this, but it's very hard to beat for simplicity.