Bug Tracker

Modify

Ticket #6805 (closed bug: invalid)

Opened 3 years ago

Last modified 14 months ago

RegExp test inside jQuery.parseJSON returns false positives

Reported by: ngiesen Owned by:
Priority: Milestone: 1.4.3
Component: ajax Version: 1.4.2
Keywords: Cc:
Blocking: Blocked by:

Description

Objects and arrays with trailing comma's are let through by the testing RegExp, and even stuff like

var data = '{"foo":true,}{]';

( /[\],:{}\s]*$/.test(data.replace(/
(?:["
\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")

.replace(/"["
\n\r]*"|true|false|null?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")

.replace(/(?:|:|,)(?:\s*\[)+/g, "")) )

yields true.

Change History

comment:1 Changed 3 years ago by dmethvin

  • Status changed from new to closed
  • Resolution set to invalid
  • Component changed from unfiled to ajax
  • Summary changed from RegExp test inside jQuery.jsonParse returns false positives to RegExp test inside jQuery.parseJSON returns false positives

The goal of that RegExp is to ensure that no malicious/mutating code is executed, not to recognize all invalid JSON. You can see some documentation here:

 http://www.json.org/json2.js

We are especially concerned with '()' and 'new' because they can cause invocation, and '=' because it can cause mutation. But just to be safe, we want to reject all unexpected forms. ... If that is so, then the text is safe for eval.

 http://api.jquery.com/jQuery.parseJSON/

Passing in a malformed JSON string will result in an exception being thrown.

It's just a matter of the specific error message thrown, which depends on the browser.

Please follow the  bug reporting guidlines and use  jsFiddle when providing test cases and demonstrations instead of pasting the code in the ticket.

View

Add a comment

Modify Ticket

Action
as closed
Author


E-mail address and user name can be saved in the Preferences.

Attachments
 
Note: See TracTickets for help on using tickets.