admin管理员组

文章数量:1327711

I have a web app in which I allow some large text entry using text fields. This text is saved to a database and then later it is sent back to the user as a field in a JSON response. In the browser, I attempt to simply convert it to an Object using JSON.parse, but this sometimes fails depending on what the user put in the field.

I think that right now, the text has single quotes in it, and those are breaking the browser-side Javascript before I can call JSON.parse on it.

What's the best way to sanitize this data so that, ideally, I can just parse it back to an Object with minimal cleansing after it has been saved?

I have a web app in which I allow some large text entry using text fields. This text is saved to a database and then later it is sent back to the user as a field in a JSON response. In the browser, I attempt to simply convert it to an Object using JSON.parse, but this sometimes fails depending on what the user put in the field.

I think that right now, the text has single quotes in it, and those are breaking the browser-side Javascript before I can call JSON.parse on it.

What's the best way to sanitize this data so that, ideally, I can just parse it back to an Object with minimal cleansing after it has been saved?

Share Improve this question asked Jan 2, 2013 at 16:45 RyanRyan 7,95711 gold badges66 silver badges119 bronze badges 3
  • can you bine this with php? – s_p Commented Jan 2, 2013 at 16:47
  • You should not sanitize input. You need to make sure your JSON is well formed by using one of the standard JSON writers. – Ilia G Commented Jan 2, 2013 at 16:47
  • The problem lies with whatever it is you're using to encode the JSON at the server. (It's almost certainly not a single-quote character problem, as JSON strings must be quoted with double-quotes, not single-quotes.) – Pointy Commented Jan 2, 2013 at 16:47
Add a ment  | 

2 Answers 2

Reset to default 6

This isn't a sanitization problem : you can very well put a string with quotes in JSON : the encoding simply escapes them.

Your problem is an encoding one. To build a JSON string in a browser, use JSON.stringify. To do it server side, you should use the tool provided by your (unmentionned) server side language/framework.

The awesome thing with JSON is that you do not need to sanitize anything. No matter what you feed to a JSON encoder - it will always output plain JSON. Obviously that JSON needs to be HTML-encoded in case you plan to use it within a HTML page. Depending on the JS encoder you need to ensure there's no </script> in there (e.g. by replacing / with \/).

You also do not need JSON.parse. JSON is a subset of JavaScript so you can do something like that (PHP-ish for simplicity):

<script>
    var obj = <?= json_encode($whatever) ?>;
</script>

If you really want to include JSON as as tring inside JSON consider not doing it. You can just have the object itself there - no need to have a JSON string within your JSON data. But if you have this anyway it should also always work.

本文标签: How to sanitize user input text so that it can be used in JavascriptJSONStack Overflow