On Thu, Mar 6, 2008 at 3:36 AM, Cassie <[EMAIL PROTECTED]> wrote:
> Kevin -
>
> Your newly checked in json.parse is giving me grief. It says this is valid
> json:
> "{3 : 5}"
>
> while these are not:
> "{'3' : '5'}"
> "{x : y}"
Actually, none of those should be valid JSON according to the spec, although
the first form is inherently safe and matches ecmascript 3 anyway so it
isn't surprising that the standard json implementation allows it.
The previous parser was incorrectly allowing the first of the second two
forms, but it turns out that this leaves open an eval exploit wherein you
can escape the double quotes. Zhen and I actually added this because we
thought it was a bogus limitation in the JSON spec, but it turns out to be
there for good reason. JSON requires all strings to be double quoted. Since
this has never been allowed in the JSON spec anyway, it should have never
been used.
JSON allows keys to be strings (always double quoted), and rvalues to be
strings, numbers, objects, or arrays. Anything else is not safe to eval(),
which means that it requires writing a complete JSON parser in
javascript...a very slow task.
The second form has never been allowed, because it involves variable names.
> The first thing is that is requires all keys to -not- be escaped. If the
> json object has a single quote in it, it will fail.
No, it will fail if the string is quoted with single quotes. Use double
quotes to quote strings (as per the JSON spec)
var str = '{"please don\'t break me big bad json parser" : "ok, I won\'t"}'
var obj = gadgets.json.parse(str);
> Secondly, your object
> can only have numbers in it, not text.
Not sure I follow -- keys can be strings (and apparently numbers for some
reason), and values can be numbers, strings, objects, or arrays. strings
must always be quoted because eval would interpret the variables, and that
would be bad.