Skip to main content

Bug Tracker

Side navigation

#6805 closed bug (invalid)

Opened July 20, 2010 01:22PM UTC

Closed July 25, 2010 08:32PM UTC

Last modified March 13, 2012 10:56PM UTC

RegExp test inside jQuery.parseJSON returns false positives

Reported by: ngiesen Owned by:
Priority: Milestone: 1.4.3
Component: ajax Version: 1.4.2
Keywords: Cc:
Blocked by: Blocking:
Description

Objects and arrays with trailing comma's are let through by the testing RegExp, and even stuff like

var data = '{"foo":true,}{]';

( /^[\\],:{}\\s]*$/.test(data.replace(/\\\\(?:["\\\\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")

.replace(/"[^"\\\\\\n\\r]*"|true|false|null|-?\\d+(?:\\.\\d*)?(?:[eE][+\\-]?\\d+)?/g, "]")

.replace(/(?:^|:|,)(?:\\s*\\[)+/g, "")) )

yields true.

Attachments (0)
Change History (1)

Changed July 25, 2010 08:32PM UTC by dmethvin comment:1

component: unfiledajax
resolution: → invalid
status: newclosed
summary: RegExp test inside jQuery.jsonParse returns false positivesRegExp test inside jQuery.parseJSON returns false positives

The goal of that RegExp is to ensure that no malicious/mutating code is executed, not to recognize all invalid JSON. You can see some documentation here:

http://www.json.org/json2.js

We are especially concerned with '()' and 'new' because they can cause invocation, and '=' because it can cause mutation. But just to be safe, we want to reject all unexpected forms. ... If that is so, then the text is safe for eval.

http://api.jquery.com/jQuery.parseJSON/

Passing in a malformed JSON string will result in an exception being thrown.

It's just a matter of the specific error message thrown, which depends on the browser.