admin管理员组文章数量:1327849
I have a web app in which I allow some large text entry using text fields. This text is saved to a database and then later it is sent back to the user as a field in a JSON response. In the browser, I attempt to simply convert it to an Object
using JSON.parse
, but this sometimes fails depending on what the user put in the field.
I think that right now, the text has single quotes in it, and those are breaking the browser-side Javascript before I can call JSON.parse
on it.
What's the best way to sanitize this data so that, ideally, I can just parse it back to an Object
with minimal cleansing after it has been saved?
I have a web app in which I allow some large text entry using text fields. This text is saved to a database and then later it is sent back to the user as a field in a JSON response. In the browser, I attempt to simply convert it to an Object
using JSON.parse
, but this sometimes fails depending on what the user put in the field.
I think that right now, the text has single quotes in it, and those are breaking the browser-side Javascript before I can call JSON.parse
on it.
What's the best way to sanitize this data so that, ideally, I can just parse it back to an Object
with minimal cleansing after it has been saved?
- can you bine this with php? – s_p Commented Jan 2, 2013 at 16:47
- You should not sanitize input. You need to make sure your JSON is well formed by using one of the standard JSON writers. – Ilia G Commented Jan 2, 2013 at 16:47
- The problem lies with whatever it is you're using to encode the JSON at the server. (It's almost certainly not a single-quote character problem, as JSON strings must be quoted with double-quotes, not single-quotes.) – Pointy Commented Jan 2, 2013 at 16:47
2 Answers
Reset to default 6This isn't a sanitization problem : you can very well put a string with quotes in JSON : the encoding simply escapes them.
Your problem is an encoding one. To build a JSON string in a browser, use JSON.stringify. To do it server side, you should use the tool provided by your (unmentionned) server side language/framework.
The awesome thing with JSON is that you do not need to sanitize anything. No matter what you feed to a JSON encoder - it will always output plain JSON. Obviously that JSON needs to be HTML-encoded in case you plan to use it within a HTML page. Depending on the JS encoder you need to ensure there's no </script>
in there (e.g. by replacing /
with \/
).
You also do not need JSON.parse
. JSON is a subset of JavaScript so you can do something like that (PHP-ish for simplicity):
<script>
var obj = <?= json_encode($whatever) ?>;
</script>
If you really want to include JSON as as tring inside JSON consider not doing it. You can just have the object itself there - no need to have a JSON string within your JSON data. But if you have this anyway it should also always work.
本文标签: How to sanitize user input text so that it can be used in JavascriptJSONStack Overflow
版权声明:本文标题:How to sanitize user input text so that it can be used in JavascriptJSON? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742218309a2434976.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论