Skip to content

Correctly Parse JSON that has has been formatted with the JSON Array Vulnerability Protection #59

Open
#60
Open
Correctly Parse JSON that has has been formatted with the JSON Array Vulnerability Protection#59
#60
@mdedetrich

Description

@mdedetrich
mdedetrich
opened on Dec 3, 2014

http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx
tornadoweb/tornado#1009 (comment)
https://docs.angularjs.org/api/ng/service/$http

Long story short, due to a JSON security vulnerability, sites can output their json in the form of

{"d": ["Philha", "my-confession-to-crimes", 7423.42]}

Which represents the original json value of

["Philha", "my-confession-to-crimes", 7423.42]

Alternately (and my webserver does this), it can prelude the original JSON with the following string

)]}',\n

So the previous example would look like

)]}',
["Philha", "my-confession-to-crimes", 7423.42]

The require.js JSON plugin should account for this, currently it fails parsing with the following error message

SyntaxError: JSON Parse error: Unexpected token ')'

(when using the prelude version)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions