Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Here's what the <a href="https://github.com/douglascrockford/JSON-js/blob/master/json2.js" rel="nofollow noreferrer">official JavaScript parser</a> does:</p> <pre><code>// In the second stage, we run the text against regular expressions that look // for non-JSON patterns. We are especially concerned with '()' and 'new' // because they can cause invocation, and '=' because it can cause mutation. // But just to be safe, we want to reject all unexpected forms. // We split the second stage into 4 regexp operations in order to work around // crippling inefficiencies in IE's and Safari's regexp engines. First we // replace the JSON backslash pairs with '@' (a non-JSON character). Second, we // replace all simple value tokens with ']' characters. Third, we delete all // open brackets that follow a colon or comma or that begin the text. Finally, // we look to see that the remaining characters are only whitespace or ']' or // ',' or ':' or '{' or '}'. If that is so, then the text is safe for eval. if (/^[\],:{}\s]*$/. test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@'). replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']'). replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) { // In the third stage we use the eval function to compile the text into a // JavaScript structure. The '{' operator is subject to a syntactic ambiguity // in JavaScript: it can begin a block or an object literal. We wrap the text // in parens to eliminate the ambiguity. j = eval('(' + text + ')'); ... </code></pre> <p>With the exception of the built-in <a href="http://caniuse.com/json" rel="nofollow noreferrer">JSON parsing support</a> that is in modern browsers, this is what all (library-based) secure JSON parsers do (ie, a regex test before <code>eval</code>).</p> <p><strong>Secure libraries</strong> (in addition to the official json2 implementation)</p> <p>Prototype's <a href="http://www.prototypejs.org/assets/2009/6/16/prototype.js" rel="nofollow noreferrer"><code>isJSON</code></a> function.</p> <p>Mootools' <a href="http://mootools.net/docs/core/Utilities/JSON#JSON:decode" rel="nofollow noreferrer"><code>JSON.decode</code></a> function (again, via a <a href="http://github.com/mootools/mootools-core/blob/master/Source/Utilities/JSON.js#L42" rel="nofollow noreferrer">regex test before <code>eval</code></a>).</p> <p><strong>Unsecure libraries</strong>:</p> <p>dojo's <a href="http://api.dojotoolkit.org/jsdoc/1.3.2/dojo.fromJson" rel="nofollow noreferrer"><code>fromJson</code></a> does <em>not</em> provide secure <code>eval</code>ing. <a href="http://svn.dojotoolkit.org/src/tags/release-1.3.2/dojo/_base/json.js" rel="nofollow noreferrer">Here is their entire implementation (minus comments)</a>:</p> <pre><code>dojo.fromJson = function(json) { return eval("(" + json + ")"); } </code></pre> <p>jQuery does not provide secure JSON <code>eval</code>'ing, but see the official plugin's <a href="http://code.google.com/p/jquery-json/source/browse/trunk/jquery.json.js" rel="nofollow noreferrer"><code>secureEvalJSON</code></a> function (line 143).</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload