A few more deviations in JSON.stringify

David-Sarah Hopwood david-sarah at jacaranda.org
Fri Jun 5 20:00:25 PDT 2009

Douglas Crockford wrote:
> Oliver Hunt wrote:
>> The
>> specified behaviour of the abstract operation Quote in section 15.12.3
>> states that only characters with a unicode number less than or equal to
>> 0x1f should be escaped.  My testing found that json2.js escapes a number
>> of other ranges of characters in unicode:
>> Should json2.js be considered right in this behaviour?


> There is a problem in [ES3] and its implementations where some characters
> can be deleted. This can cause
>     "\?"
> to be replaced with
>     "\"
> during JSON2's eval phase, which could allow evil script injection.
> This is not a problem for ES5's JSON.parse.

It is JSON.stringify that is at issue here, not JSON.parse. I believe
this problem is still relevant, because the producer may be ES5's
JSON.stringify while the consumer is an eval-based JSON parser running
on ES3.

Note that it is not necessarily valid to argue that the security issue
is entirely at the consumer end, and that an attacker could always inject
JSON strings in which these characters are not quoted. That may or may
not be the case depending on where the producer and consumer are running,
and whether they are communicating over a channel that an attacker can
influence directly (as opposed to influencing JSON.stringify's input).

Also, some JS implementations do not strip format-control characters
in JavaScript source (as was specified in ES3); they reject them instead.
This creates an interoperability problem with eval-based parsers, in
place of the above security problem.

David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the es5-discuss mailing list