Besides U+2028 and U+2029, there is also the __proto__ key, which has a special meaning in JS as implemented in browser. That prevents definitely to "safely" embed arbitrary JSON within JS.
—Claude > Le 29 sept. 2016 à 23:21, Richard Gibson <[email protected]> a écrit : > > ECMAScript claims JSON as a subset twice in > https://tc39.github.io/ecma262/#sec-json.parse > <https://tc39.github.io/ecma262/#sec-json.parse> , but (as has been > well-documented) that is not true because it JSON strings can contain > unescaped U+2028 LINE SEPARATOR and U+2029 PARAGRAPH SEPARATOR while > ECMAScript strings cannot. Mark Miller alludes to a pre-ES5 push for allowing > them (which ultimately failed) in > https://esdiscuss.org/topic/json-stringify-script#content-17 > <https://esdiscuss.org/topic/json-stringify-script#content-17> , and posits > that a repeat today would also fail. Having never seen a windmill that didn't > need slaying, I hereby make the attempt. > > Aside from slightly simplifying the spec (by eliminating the need for a > production specific to JSON.parse) and retroactively validating its claims, > such a change to _DoubleStringCharacter_ and _SingleStringCharacter_ would > allow safely embedding arbitrary JSON directly within ECMAScript, a request > which has been made before in the context of source > concatenation/construction. > > User-visible effects from the change would be limited to the absence of > SyntaxError s from code like `eval(' "\u2028" ')` or its raw-text equivalent. > _______________________________________________ > es-discuss mailing list > [email protected] > https://mail.mozilla.org/listinfo/es-discuss
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
