RegExp test inside jQuery.parseJSON returns false positives

Reported by:	ngiesen	Owned by:
Priority:		Milestone:	1.4.3
Component:	ajax	Version:	1.4.2
Keywords:		Cc:
Blocked by:		Blocking:

Description

Objects and arrays with trailing comma's are let through by the testing RegExp, and even stuff like

var data = '{"foo":true,}{]';

( /^[\\],:{}\\s]*$/.test(data.replace(/\\\\(?:["\\\\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")

.replace(/"[^"\\\\\\n\\r]*"|true|false|null|-?\\d+(?:\\.\\d*)?(?:[eE][+\\-]?\\d+)?/g, "]")

.replace(/(?:^|:|,)(?:\\s*\\[)+/g, "")) )

yields true.

Attachments (0)

Change History (1)

Changed July 25, 2010 08:32PM UTC by dmethvin comment:1

component:	unfiled → ajax
resolution:	→ invalid
status:	new → closed
summary:	RegExp test inside jQuery.jsonParse returns false positives → RegExp test inside jQuery.parseJSON returns false positives

The goal of that RegExp is to ensure that no malicious/mutating code is executed, not to recognize all invalid JSON. You can see some documentation here:

http://www.json.org/json2.js

We are especially concerned with '()' and 'new' because they can cause invocation, and '=' because it can cause mutation. But just to be safe, we want to reject all unexpected forms. ... If that is so, then the text is safe for eval.

http://api.jquery.com/jQuery.parseJSON/

Passing in a malformed JSON string will result in an exception being thrown.

It's just a matter of the specific error message thrown, which depends on the browser.

Side navigation

#6805 closed bug (invalid)

RegExp test inside jQuery.parseJSON returns false positives

Description

Changed July 25, 2010 08:32PM UTC by dmethvin comment:1