Note: This RFC has been obsoleted by RFC 7159
Source of RFC: IETF - NON WORKING GROUP
Area Assignment: app
Errata ID: 3607
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Bjoern Hoehrmann
Date Reported: 2013-04-27
Held for Document Update by: Barry Leiba
Date Held: 2013-05-01
Section 6 says:
A JSON text can be safely passed into JavaScript's eval() function
(which compiles and executes a string) if all the characters not
enclosed in strings are in the set of characters that form JSON
tokens. This can be quickly determined in JavaScript with two
regular expressions and calls to the test and replace methods.
var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
eval('(' + text + ')');
It should say:
[OBSOLETE]
Notes:
Executing the following code in Microsoft Internet Explorer 9
var text = "\
var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
results in an "alert" message of "EXPLOIT", i.e. part of the data is executed as if it was executable code, which the validation code in the RFC is supposed to rule out.
Credit is due to Stefano Di Paola's http://blog.mindedsecurity.com/2011/08/ye-olde-crockford-json-regexp-is.html article, and possibly others the reporter does not know of.
----- NOTES FROM THE DOCUMENT AUTHOR -----
That section should be replaced entirely with language independent advice on proper encoding and decoding, including avoidance of concatenation to construct JSON texts.
----- NOTES FROM THE VERIFIER -----
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3