admin管理员组文章数量:1325961
From a security perspective, I can see simply doing an 'eval' on ining JSON data as a critical mistake. If you got data like below you'd have some problems.
{ someData:((function() {
alert("i'm in ur code hackin' ur page");
})()) }
I wondered what do most popular Javascript libraries do? Is it a manual parse or simply an eval?
[Edit]
I'm not asking if I should eval/parse - I was asking what methods some of the popular Javascript libraries used (jQuery, Prototype, etc...)
From a security perspective, I can see simply doing an 'eval' on ining JSON data as a critical mistake. If you got data like below you'd have some problems.
{ someData:((function() {
alert("i'm in ur code hackin' ur page");
})()) }
I wondered what do most popular Javascript libraries do? Is it a manual parse or simply an eval?
[Edit]
I'm not asking if I should eval/parse - I was asking what methods some of the popular Javascript libraries used (jQuery, Prototype, etc...)
Share Improve this question edited Jul 17, 2009 at 14:00 hugoware asked Jul 17, 2009 at 13:51 hugowarehugoware 36.4k24 gold badges62 silver badges71 bronze badges4 Answers
Reset to default 7Here's what the official JavaScript parser does:
// In the second stage, we run the text against regular expressions that look
// for non-JSON patterns. We are especially concerned with '()' and 'new'
// because they can cause invocation, and '=' because it can cause mutation.
// But just to be safe, we want to reject all unexpected forms.
// We split the second stage into 4 regexp operations in order to work around
// crippling inefficiencies in IE's and Safari's regexp engines. First we
// replace the JSON backslash pairs with '@' (a non-JSON character). Second, we
// replace all simple value tokens with ']' characters. Third, we delete all
// open brackets that follow a colon or ma or that begin the text. Finally,
// we look to see that the remaining characters are only whitespace or ']' or
// ',' or ':' or '{' or '}'. If that is so, then the text is safe for eval.
if (/^[\],:{}\s]*$/.
test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@').
replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']').
replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) {
// In the third stage we use the eval function to pile the text into a
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// in JavaScript: it can begin a block or an object literal. We wrap the text
// in parens to eliminate the ambiguity.
j = eval('(' + text + ')');
...
With the exception of the built-in JSON parsing support that is in modern browsers, this is what all (library-based) secure JSON parsers do (ie, a regex test before eval
).
Secure libraries (in addition to the official json2 implementation)
Prototype's isJSON
function.
Mootools' JSON.decode
function (again, via a regex test before eval
).
Unsecure libraries:
dojo's fromJson
does not provide secure eval
ing. Here is their entire implementation (minus ments):
dojo.fromJson = function(json) {
return eval("(" + json + ")");
}
jQuery does not provide secure JSON eval
'ing, but see the official plugin's secureEvalJSON
function (line 143).
You should absolutely parse it! JSON is just a subset of JavaScript. But eval
would evaluate any JavaScript code and not that specific subset like a JSON parser would.
use evalJSON() instead?
As far as I know this basically calls eval() after some sanitation checks.
From http://code.google./p/json-sans-eval/ :
A fast and secure JSON parser in JavaScript?
This JSON parser does not attempt to validate the JSON, so may return a result given a syntactically invalid input, but does not use eval so is deterministic and is guaranteed not to modify any object other than its return value.
There are a number of JSON parsers in JavaScript? at json. This implementation should be used whenever security is a concern (when JSON may e from an untrusted source), speed is a concern, and erroring on malformed JSON is not a concern.
This implementation
- Pros Fast, secure
- Cons Not validating
json_parse.js
- Pros Validating, secure
- Cons Slow
json2.js
- Pros Fast, some validation
- Cons Potentially insecure
json2.js is very fast, but potentially insecure since it calls eval to parse JSON data, so an attacker might be able to supply strange JS that looks like JSON, but that executes arbitrary javascript.
If you do have to use json2.js with untrusted data, make sure you keep your version of json2.js up to date so that you get patches as they're released.
本文标签: javascriptJSON DataParsed Or 39Eval39edStack Overflow
版权声明:本文标题:javascript - JSON Data - Parsed Or 'Eval'ed - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742190607a2430143.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论