/src/json_sans_eval.js

http://json-sans-eval.googlecode.com/ · JavaScript · 238 lines · 138 code · 15 blank · 85 comment · 32 complexity · 36ff5136abf4856e52e56b0034ee52de MD5 · raw file 

    

  1. // This source code is free for use in the public domain.
    2. 

  2. // NO WARRANTY EXPRESSED OR IMPLIED. USE AT YOUR OWN RISK.
    3. 

  3. 

  4. // http://code.google.com/p/json-sans-eval/
    5. 

  5. 

  6. /**
    7. 

  7.  * Parses a string of well-formed JSON text.
    8. 

  8.  *
    9. 

  9.  * If the input is not well-formed, then behavior is undefined, but it is
    10. 

  10.  * deterministic and is guaranteed not to modify any object other than its
    11. 

  11.  * return value.
    12. 

  12.  *
    13. 

  13.  * This does not use `eval` so is less likely to have obscure security bugs than
    14. 

  14.  * json2.js.
    15. 

  15.  * It is optimized for speed, so is much faster than json_parse.js.
    16. 

  16.  *
    17. 

  17.  * This library should be used whenever security is a concern (when JSON may
    18. 

  18.  * come from an untrusted source), speed is a concern, and erroring on malformed
    19. 

  19.  * JSON is *not* a concern.
    20. 

  20.  *
    21. 

  21.  *                      Pros                   Cons
    22. 

  22.  *                    +-----------------------+-----------------------+
    23. 

  23.  * json_sans_eval.js  | Fast, secure          | Not validating        |
    24. 

  24.  *                    +-----------------------+-----------------------+
    25. 

  25.  * json_parse.js      | Validating, secure    | Slow                  |
    26. 

  26.  *                    +-----------------------+-----------------------+
    27. 

  27.  * json2.js           | Fast, some validation | Potentially insecure  |
    28. 

  28.  *                    +-----------------------+-----------------------+
    29. 

  29.  *
    30. 

  30.  * json2.js is very fast, but potentially insecure since it calls `eval` to
    31. 

  31.  * parse JSON data, so an attacker might be able to supply strange JS that
    32. 

  32.  * looks like JSON, but that executes arbitrary javascript.
    33. 

  33.  * If you do have to use json2.js with untrusted data, make sure you keep
    34. 

  34.  * your version of json2.js up to date so that you get patches as they're
    35. 

  35.  * released.
    36. 

  36.  *
    37. 

  37.  * @param {string} json per RFC 4627
    38. 

  38.  * @param {function (this:Object, string, *):*} opt_reviver optional function
    39. 

  39.  *     that reworks JSON objects post-parse per Chapter 15.12 of EcmaScript3.1.
    40. 

  40.  *     If supplied, the function is called with a string key, and a value.
    41. 

  41.  *     The value is the property of 'this'.  The reviver should return
    42. 

  42.  *     the value to use in its place.  So if dates were serialized as
    43. 

  43.  *     {@code { "type": "Date", "time": 1234 }}, then a reviver might look like
    44. 

  44.  *     {@code
    45. 

  45.  *     function (key, value) {
    46. 

  46.  *       if (value && typeof value === 'object' && 'Date' === value.type) {
    47. 

  47.  *         return new Date(value.time);
    48. 

  48.  *       } else {
    49. 

  49.  *         return value;
    50. 

  50.  *       }
    51. 

  51.  *     }}.
    52. 

  52.  *     If the reviver returns {@code undefined} then the property named by key
    53. 

  53.  *     will be deleted from its container.
    54. 

  54.  *     {@code this} is bound to the object containing the specified property.
    55. 

  55.  * @return {Object|Array}
    56. 

  56.  * @author Mike Samuel <mikesamuel@gmail.com>
    57. 

  57.  */
    58. 

  58. var jsonParse = (function () {
    59. 

  59.   var number
    60. 

  60.       = '(?:-?\\b(?:0|[1-9][0-9]*)(?:\\.[0-9]+)?(?:[eE][+-]?[0-9]+)?\\b)';
    61. 

  61.   var oneChar = '(?:[^\\0-\\x08\\x0a-\\x1f\"\\\\]'
    62. 

  62.       + '|\\\\(?:[\"/\\\\bfnrt]|u[0-9A-Fa-f]{4}))';
    63. 

  63.   var string = '(?:\"' + oneChar + '*\")';
    64. 

  64. 

  65.   // Will match a value in a well-formed JSON file.
    66. 

  66.   // If the input is not well-formed, may match strangely, but not in an unsafe
    67. 

  67.   // way.
    68. 

  68.   // Since this only matches value tokens, it does not match whitespace, colons,
    69. 

  69.   // or commas.
    70. 

  70.   var jsonToken = new RegExp(
    71. 

  71.       '(?:false|true|null|[\\{\\}\\[\\]]'
    72. 

  72.       + '|' + number
    73. 

  73.       + '|' + string
    74. 

  74.       + ')', 'g');
    75. 

  75. 

  76.   // Matches escape sequences in a string literal
    77. 

  77.   var escapeSequence = new RegExp('\\\\(?:([^u])|u(.{4}))', 'g');
    78. 

  78. 

  79.   // Decodes escape sequences in object literals
    80. 

  80.   var escapes = {
    81. 

  81.     '"': '"',
    82. 

  82.     '/': '/',
    83. 

  83.     '\\': '\\',
    84. 

  84.     'b': '\b',
    85. 

  85.     'f': '\f',
    86. 

  86.     'n': '\n',
    87. 

  87.     'r': '\r',
    88. 

  88.     't': '\t'
    89. 

  89.   };
    90. 

  90.   function unescapeOne(_, ch, hex) {
    91. 

  91.     return ch ? escapes[ch] : String.fromCharCode(parseInt(hex, 16));
    92. 

  92.   }
    93. 

  93. 

  94.   // A non-falsy value that coerces to the empty string when used as a key.
    95. 

  95.   var EMPTY_STRING = new String('');
    96. 

  96.   var SLASH = '\\';
    97. 

  97. 

  98.   // Constructor to use based on an open token.
    99. 

  99.   var firstTokenCtors = { '{': Object, '[': Array };
    100. 

  100. 

  101.   var hop = Object.hasOwnProperty;
    102. 

  102. 

  103.   return function (json, opt_reviver) {
    104. 

  104.     // Split into tokens
    105. 

  105.     var toks = json.match(jsonToken);
    106. 

  106.     // Construct the object to return
    107. 

  107.     var result;
    108. 

  108.     var tok = toks[0];
    109. 

  109.     var topLevelPrimitive = false;
    110. 

  110.     if ('{' === tok) {
    111. 

  111.       result = {};
    112. 

  112.     } else if ('[' === tok) {
    113. 

  113.       result = [];
    114. 

  114.     } else {
    115. 

  115.       // The RFC only allows arrays or objects at the top level, but the JSON.parse
    116. 

  116.       // defined by the EcmaScript 5 draft does allow strings, booleans, numbers, and null
    117. 

  117.       // at the top level.
    118. 

  118.       result = [];
    119. 

  119.       topLevelPrimitive = true;
    120. 

  120.     }
    121. 

  121. 

  122.     // If undefined, the key in an object key/value record to use for the next
    123. 

  123.     // value parsed.
    124. 

  124.     var key;
    125. 

  125.     // Loop over remaining tokens maintaining a stack of uncompleted objects and
    126. 

  126.     // arrays.
    127. 

  127.     var stack = [result];
    128. 

  128.     for (var i = 1 - topLevelPrimitive, n = toks.length; i < n; ++i) {
    129. 

  129.       tok = toks[i];
    130. 

  130. 

  131.       var cont;
    132. 

  132.       switch (tok.charCodeAt(0)) {
    133. 

  133.         default:  // sign or digit
    134. 

  134.           cont = stack[0];
    135. 

  135.           cont[key || cont.length] = +(tok);
    136. 

  136.           key = void 0;
    137. 

  137.           break;
    138. 

  138.         case 0x22:  // '"'
    139. 

  139.           tok = tok.substring(1, tok.length - 1);
    140. 

  140.           if (tok.indexOf(SLASH) !== -1) {
    141. 

  141.             tok = tok.replace(escapeSequence, unescapeOne);
    142. 

  142.           }
    143. 

  143.           cont = stack[0];
    144. 

  144.           if (!key) {
    145. 

  145.             if (cont instanceof Array) {
    146. 

  146.               key = cont.length;
    147. 

  147.             } else {
    148. 

  148.               key = tok || EMPTY_STRING;  // Use as key for next value seen.
    149. 

  149.               break;
    150. 

  150.             }
    151. 

  151.           }
    152. 

  152.           cont[key] = tok;
    153. 

  153.           key = void 0;
    154. 

  154.           break;
    155. 

  155.         case 0x5b:  // '['
    156. 

  156.           cont = stack[0];
    157. 

  157.           stack.unshift(cont[key || cont.length] = []);
    158. 

  158.           key = void 0;
    159. 

  159.           break;
    160. 

  160.         case 0x5d:  // ']'
    161. 

  161.           stack.shift();
    162. 

  162.           break;
    163. 

  163.         case 0x66:  // 'f'
    164. 

  164.           cont = stack[0];
    165. 

  165.           cont[key || cont.length] = false;
    166. 

  166.           key = void 0;
    167. 

  167.           break;
    168. 

  168.         case 0x6e:  // 'n'
    169. 

  169.           cont = stack[0];
    170. 

  170.           cont[key || cont.length] = null;
    171. 

  171.           key = void 0;
    172. 

  172.           break;
    173. 

  173.         case 0x74:  // 't'
    174. 

  174.           cont = stack[0];
    175. 

  175.           cont[key || cont.length] = true;
    176. 

  176.           key = void 0;
    177. 

  177.           break;
    178. 

  178.         case 0x7b:  // '{'
    179. 

  179.           cont = stack[0];
    180. 

  180.           stack.unshift(cont[key || cont.length] = {});
    181. 

  181.           key = void 0;
    182. 

  182.           break;
    183. 

  183.         case 0x7d:  // '}'
    184. 

  184.           stack.shift();
    185. 

  185.           break;
    186. 

  186.       }
    187. 

  187.     }
    188. 

  188.     // Fail if we've got an uncompleted object.
    189. 

  189.     if (topLevelPrimitive) {
    190. 

  190.       if (stack.length !== 1) { throw new Error(); }
    191. 

  191.       result = result[0];
    192. 

  192.     } else {
    193. 

  193.       if (stack.length) { throw new Error(); }
    194. 

  194.     }
    195. 

  195. 

  196.     if (opt_reviver) {
    197. 

  197.       // Based on walk as implemented in http://www.json.org/json2.js
    198. 

  198.       var walk = function (holder, key) {
    199. 

  199.         var value = holder[key];
    200. 

  200.         if (value && typeof value === 'object') {
    201. 

  201.           var toDelete = null;
    202. 

  202.           for (var k in value) {
    203. 

  203.             if (hop.call(value, k) && value !== holder) {
    204. 

  204.               // Recurse to properties first.  This has the effect of causing
    205. 

  205.               // the reviver to be called on the object graph depth-first.
    206. 

  206. 

  207.               // Since 'this' is bound to the holder of the property, the
    208. 

  208.               // reviver can access sibling properties of k including ones
    209. 

  209.               // that have not yet been revived.
    210. 

  210. 

  211.               // The value returned by the reviver is used in place of the
    212. 

  212.               // current value of property k.
    213. 

  213.               // If it returns undefined then the property is deleted.
    214. 

  214.               var v = walk(value, k);
    215. 

  215.               if (v !== void 0) {
    216. 

  216.                 value[k] = v;
    217. 

  217.               } else {
    218. 

  218.                 // Deleting properties inside the loop has vaguely defined
    219. 

  219.                 // semantics in ES3 and ES3.1.
    220. 

  220.                 if (!toDelete) { toDelete = []; }
    221. 

  221.                 toDelete.push(k);
    222. 

  222.               }
    223. 

  223.             }
    224. 

  224.           }
    225. 

  225.           if (toDelete) {
    226. 

  226.             for (var i = toDelete.length; --i >= 0;) {
    227. 

  227.               delete value[toDelete[i]];
    228. 

  228.             }
    229. 

  229.           }
    230. 

  230.         }
    231. 

  231.         return opt_reviver.call(holder, key, value);
    232. 

  232.       };
    233. 

  233.       result = walk({ '': result }, '');
    234. 

  234.     }
    235. 

  235. 

  236.     return result;
    237. 

  237.   };
    238. 

  238. })();
    239.