Skip to main content

Bug Tracker

Side navigation

#6805 closed bug (invalid)

Opened July 20, 2010 01:22PM UTC

Closed July 25, 2010 08:32PM UTC

Last modified March 13, 2012 10:56PM UTC

RegExp test inside jQuery.parseJSON returns false positives

Reported by: ngiesen Owned by:
Priority: Milestone: 1.4.3
Component: ajax Version: 1.4.2
Keywords: Cc:
Blocked by: Blocking:

Objects and arrays with trailing comma's are let through by the testing RegExp, and even stuff like

var data = '{"foo":true,}{]';

( /^[\\],:{}\\s]*$/.test(data.replace(/\\\\(?:["\\\\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")

.replace(/"[^"\\\\\\n\\r]*"|true|false|null|-?\\d+(?:\\.\\d*)?(?:[eE][+\\-]?\\d+)?/g, "]")

.replace(/(?:^|:|,)(?:\\s*\\[)+/g, "")) )

yields true.

Attachments (0)
Change History (1)

Changed July 25, 2010 08:32PM UTC by dmethvin comment:1

component: unfiledajax
resolution: → invalid
status: newclosed
summary: RegExp test inside jQuery.jsonParse returns false positivesRegExp test inside jQuery.parseJSON returns false positives

The goal of that RegExp is to ensure that no malicious/mutating code is executed, not to recognize all invalid JSON. You can see some documentation here:

We are especially concerned with '()' and 'new' because they can cause invocation, and '=' because it can cause mutation. But just to be safe, we want to reject all unexpected forms. ... If that is so, then the text is safe for eval.

Passing in a malformed JSON string will result in an exception being thrown.

It's just a matter of the specific error message thrown, which depends on the browser.