Bug Tracker

Opened 13 years ago

Closed 13 years ago

Last modified 11 years ago

#6805 closed bug (invalid)

RegExp test inside jQuery.parseJSON returns false positives

Reported by: ngiesen Owned by:
Priority: Milestone: 1.4.3
Component: ajax Version: 1.4.2
Keywords: Cc:
Blocked by: Blocking:


Objects and arrays with trailing comma's are let through by the testing RegExp, and even stuff like

var data = '{"foo":true,}{]';

( /[\],:{}\s]*$/.test(data.replace(/
\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")

\n\r]*"|true|false|null?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")

.replace(/(?:|:|,)(?:\s*\[)+/g, "")) )

yields true.

Change History (1)

comment:1 Changed 13 years ago by dmethvin

Component: unfiledajax
Resolution: invalid
Status: newclosed
Summary: RegExp test inside jQuery.jsonParse returns false positivesRegExp test inside jQuery.parseJSON returns false positives

The goal of that RegExp is to ensure that no malicious/mutating code is executed, not to recognize all invalid JSON. You can see some documentation here:


We are especially concerned with '()' and 'new' because they can cause invocation, and '=' because it can cause mutation. But just to be safe, we want to reject all unexpected forms. ... If that is so, then the text is safe for eval.


Passing in a malformed JSON string will result in an exception being thrown.

It's just a matter of the specific error message thrown, which depends on the browser.

Note: See TracTickets for help on using tickets.