Board Thread:Watercooler/@comment-24473195-20160526110434/@comment-24376429-20160528014213

But since reviews are already done in a timely fashion there is no real reason to complain. It takes a day at most and the fact that it had to be reviewed isn't really an issue.

Not to mention you can't just make pages that don't require review and still have them loaded by the script. That defeats the purpose of the security review in the first place. Not to mention that if you are storing the data in JSON form that:

1. Requires another HTTP request to fetch

2. Increases the chance of someone breaking it by accidentally mangling the JSON

3. Increases the likelihood that something could be slipped in and not sanitized

Now, #3 isn't super likely if care is taken but it is still something that could happen, especially if the configuration files are not subject to the same level of scrutiny that the actual scripts are.

Number two is one of the most likely issues that people will run into, especially since JSON, without being beautified, is a mess to read and adding, removing, or not escaping a single character can lead to a big mess later on once errors start showing up and things start breaking.

And the last thing I want to address is the HTTP request thing. While this is not super important it could still cause issues if load.php does not accept JSON meaning that the script could load before the configuration. It's also not great because it's adding an HTTP request for something that should just be in the script anyway.