Bug Tracker

Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#6805 closed bug (invalid)

RegExp test inside jQuery.parseJSON returns false positives

Reported by: ngiesen Owned by:
Priority: Milestone: 1.4.3
Component: ajax Version: 1.4.2
Keywords: Cc:
Blocked by: Blocking:

Description

Objects and arrays with trailing comma's are let through by the testing RegExp, and even stuff like

var data = '{"foo":true,}{]';

( /[\],:{}\s]*$/.test(data.replace(/
(?:["
\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")

.replace(/"["
\n\r]*"|true|false|null?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")

.replace(/(?:|:|,)(?:\s*\[)+/g, "")) )

yields true.

Change History (1)

comment:1 Changed 9 years ago by dmethvin

Component: unfiledajax
Resolution: invalid
Status: newclosed
Summary: RegExp test inside jQuery.jsonParse returns false positivesRegExp test inside jQuery.parseJSON returns false positives

The goal of that RegExp is to ensure that no malicious/mutating code is executed, not to recognize all invalid JSON. You can see some documentation here:

http://www.json.org/json2.js

We are especially concerned with '()' and 'new' because they can cause invocation, and '=' because it can cause mutation. But just to be safe, we want to reject all unexpected forms. ... If that is so, then the text is safe for eval.

http://api.jquery.com/jQuery.parseJSON/

Passing in a malformed JSON string will result in an exception being thrown.

It's just a matter of the specific error message thrown, which depends on the browser.

Note: See TracTickets for help on using tickets.