Safely parsing a JSON string with unquoted keys
Question
json2.js is strict requiring all object keys be double-quoted. However, in Javascript syntax {"foo":"bar"} is equivalent to {foo:"bar"} .
I have a textarea that accepts JSON input from the user and would like to "ease" the restriction on double quoting the keys. I've looked at how json2.js validates a JSON string in four stages before it evals it. I was able to add a 5th stage to allow unquoted keys and would like to know if there are any security implications to this logic.
var data = '{name:"hello", age:"23"}';
// Make sure the incoming data is actual JSON
// Logic borrowed from http://json.org/json2.js
if ( /^[\],:{}\s]*$/.test(data.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")
.replace(/(?:^|:|,)(?:\s*\[)+/g, ":") // EDITED: allow key:[array] by replacing with safe char ":"
/** everything up to this point is json2.js **/
/** this is the 5th stage where it accepts unquoted keys **/
.replace(/\w+\s*\:/g, ":")) ) { // EDITED: allow any alphanumeric key
console.log( (new Function("return " + data))() );
}
else {
throw( "Invalid JSON: " + data );
}
5 answers
solution1
7 2010-11-18 00:32:00
data.replace(/(['"])?([a-zA-Z0-9]+)(['"])?:/g, '"$2":');
这将替换参数名称上的任何单引号,并添加任何缺少的单引号。
solution2
2 2010-11-18 22:18:29
I thought it would be helpful to have actual test cases to flush out any issues with this implementation. I've added a github project called JSOL with some tests. Please fill free to add to it and find issues. Thanks.
solution3
0 2010-11-18 00:21:20
JSON does not allow unquoted keys. JSON is a subset of JavaScript notation, and that does not include unquoted keys. Passing unquoted keys to just about any JSON parser will likely throw an error or return "unexpected" results.
Hope this helps
solution4
0 2020-05-04 19:26:27
Use JSON5.parse
JSON5 is a superset of JSON that allows ES5 syntax, including unquoted property keys. The JSON5 reference implementation ( json5 npm package ) provides a JSON5 object that has the same methods with the same args and semantics as the built-in JSON object.
solution5
0 2020-12-16 03:48:18
"JSON with comments" is actually a valid javascript, therefore in javascript environment the simplest native way to parse it is just evaluate it like this
function evalJs(js) {
let fn = new Function("return (" + js + ")"),
res = fn()
return res;
}
let json5 = "{\n" +
"//////\n" +
"key: 5," +
"}"
let data = evalJs(json5)
console.info(data)
Output is
{ key: 5 }
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.