JSON数据 - 解析或'评估' [英] JSON Data - Parsed Or 'Eval'ed
问题描述
从安全角度来看,我可以看到对传入的JSON数据执行'eval'是一个严重的错误。如果你得到如下数据,你会遇到一些问题。
From a security perspective, I can see simply doing an 'eval' on incoming JSON data as a critical mistake. If you got data like below you'd have some problems.
{ someData:((function() {
alert("i'm in ur code hackin' ur page");
})()) }
我想知道最流行的Javascript库做了什么?是手动解析还是仅仅是评估?
I wondered what do most popular Javascript libraries do? Is it a manual parse or simply an eval?
我不是问我是否应该eval / parse - 我问的是一些流行的Javascript库使用了什么方法(jQuery,Prototype等等)
I'm not asking if I should eval/parse - I was asking what methods some of the popular Javascript libraries used (jQuery, Prototype, etc...)
推荐答案
以下是官方JavaScript解析器:
// In the second stage, we run the text against regular expressions that look
// for non-JSON patterns. We are especially concerned with '()' and 'new'
// because they can cause invocation, and '=' because it can cause mutation.
// But just to be safe, we want to reject all unexpected forms.
// We split the second stage into 4 regexp operations in order to work around
// crippling inefficiencies in IE's and Safari's regexp engines. First we
// replace the JSON backslash pairs with '@' (a non-JSON character). Second, we
// replace all simple value tokens with ']' characters. Third, we delete all
// open brackets that follow a colon or comma or that begin the text. Finally,
// we look to see that the remaining characters are only whitespace or ']' or
// ',' or ':' or '{' or '}'. If that is so, then the text is safe for eval.
if (/^[\],:{}\s]*$/.
test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@').
replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']').
replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) {
// In the third stage we use the eval function to compile the text into a
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// in JavaScript: it can begin a block or an object literal. We wrap the text
// in parens to eliminate the ambiguity.
j = eval('(' + text + ')');
...
除了内置的 JSON解析支持,这是所有(基于库的)安全JSON解析器所做的事情(即, eval
之前的正则表达式测试。
With the exception of the built-in JSON parsing support that is in modern browsers, this is what all (library-based) secure JSON parsers do (ie, a regex test before eval
).
安全库(除官方json2之外)实施)
Secure libraries (in addition to the official json2 implementation)
Prototype的 isJSON
功能。
Prototype's isJSON
function.
Mootools' JSON.decode
功能(再次通过 eval $前的正则表达式测试c $ c>
)。
Mootools' JSON.decode
function (again, via a regex test before eval
).
不安全库:
道场的 fromJson
不提供安全 eval
ing。 这是他们的整个实施(减去评论):
dojo's fromJson
does not provide secure eval
ing. Here is their entire implementation (minus comments):
dojo.fromJson = function(json) {
return eval("(" + json + ")");
}
jQuery不提供安全的JSON eval
'ing,但请参阅官方插件 secureEvalJSON
功能(第143行)。
jQuery does not provide secure JSON eval
'ing, but see the official plugin's secureEvalJSON
function (line 143).
这篇关于JSON数据 - 解析或'评估'的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!