RegExp test inside jQuery.parseJSON returns false positives

[ngiesen]

Objects and arrays with trailing comma's are let through by the testing RegExp, and even stuff like

var data = '{"foo":true,}{]';

( /^{[\],:{}\s]*$/.test(data.replace(/
(?:["
\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")}

.replace(/"["
\n\r]*"|true|false|null?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")

.replace(/(?:^{|:|,)(?:\s*\[)+/g, "")) )}

yields true.

[dmethvin]

The goal of that RegExp is to ensure that no malicious/mutating code is executed, not to recognize all invalid JSON. You can see some documentation here:

​http://www.json.org/json2.js

We are especially concerned with '()' and 'new' because they can cause invocation, and '=' because it can cause mutation. But just to be safe, we want to reject all unexpected forms. ... If that is so, then the text is safe for eval.

​http://api.jquery.com/jQuery.parseJSON/

Passing in a malformed JSON string will result in an exception being thrown.

It's just a matter of the specific error message thrown, which depends on the browser.