code review 4519063: json: don't permit literal U+2028 or U+2029 in strings

json: don't permit literal U+2028 or U+2029 in strings

See http://timelessrepo.com/json-isnt-a-javascript-subset

[bradfitz, 2011-05-16 17:20:26]

Hello golang-dev@googlegroups.com (cc: golang-dev@googlegroups.com),

I'd like you to review this change to
https://go.googlecode.com/hg

[rsc1, 2011-05-16 17:32:15]

But this is a JSON package, not a JavaScript package.
Maybe the test belongs in HTMLEscape?

[bradfitz, 2011-05-16 17:36:41]

On Mon, May 16, 2011 at 10:32 AM, Russ Cox <rsc@google.com> wrote:

> But this is a JSON package, not a JavaScript package.
>

JSON is supposed to be a subset of JavaScript.

Despite the new JSON.parse function in modern browsers, many browsers still
use 'eval' to parse JavaScript.

This also matters when using JSONP (http://en.wikipedia.org/wiki/JSONP) to
your own (trusted) server.


> Maybe the test belongs in HTMLEscape?
>

What's this have to do with HTML?

I'd rather we do the safe thing by in JSON by default.  This is still valid
JSON.  It's just also valid JavaScript too.

[rsc1, 2011-05-16 17:43:49]

> JSON is supposed to be a subset of JavaScript.

The advertising copy certainly says that,
but the definition at http://json.org/ makes no
reference to JavaScript semantics.

Is the Go string literal `"` + "\u2028" + `"` valid JSON?
From http://json.org/, I think it is.

If it is valid, then the current code is fine and HTMLEscape
(since JavaScript is usually inside HTML) is the right
solution.  Or you can add a JavaScriptEscape.
HTMLEscape is a separate function because not all
JSON produced by an encoder comes from the
function you changed.  Some comes from external
method callouts, and we don't want to depend on them
to know about all these otherwise-fine characters that
really have to be escaped for one context or another.

If it is not valid, then the parser logic needs to change to
reject "\u2028".

Russ

[bradfitz, 2011-05-16 17:56:24]

On Mon, May 16, 2011 at 10:43 AM, Russ Cox <rsc@google.com> wrote:

> > JSON is supposed to be a subset of JavaScript.
>
> The advertising copy certainly says that,
> but the definition at http://json.org/ makes no
> reference to JavaScript semantics.
>

In practice, web apps eval JSON, right?

>
> Is the Go string literal `"` + "\u2028" + `"` valid JSON?
> From http://json.org/, I think it is.
>

It is.  But it can't be evaled by JavaScript.

If it is valid, then the current code is fine and HTMLEscape
> (since JavaScript is usually inside HTML) is the right
> solution.


What? Doing an HTML escape just escapes it from HTML but then passes down
the decoded U+2028 to JavaScript where it's then illegal.   Convince
yourself with this html file:

<body>
<input type=button onclick='alert(JSON.stringify({"foo": "ba&#x2028;r"}))'
value='click' />
</body>

And look at the resulting error: "unterminated string literal" in firefox
and "Unexpected token ILLEGAL" in Chrome.

Change that to e.g. &#x2027 and you'll see the middle dot character in both
browsers.


If it is not valid, then the parser logic needs to change to
> reject "\u2028".
>

Why?  "\u2028" is perfectly valid JSON and is fine input & output.

We just don't want a literal \u2028 or \u2029 in the encoded JSON so it can
be used by JavaScript.

[rsc1, 2011-05-16 18:02:33]

>> > JSON is supposed to be a subset of JavaScript.
>>
>> The advertising copy certainly says that,
>> but the definition at http://json.org/ makes no
>> reference to JavaScript semantics.
>
> In practice, web apps eval JSON, right?

I don't care much what web apps do.
I care about the definition of JSON.

> What? Doing an HTML escape just escapes it from HTML but then passes down
> the decoded U+2028 to JavaScript where it's then illegal.   Convince
> yourself with this html file:

You think I'm talking about template.HTMLEscape.
I am talking about json.HTMLEscape, which is different.

> "\u2028" is perfectly valid JSON and is fine input & output.

I meant the Go string containing a literal U+2028, not `"\u2028"`.

> We just don't want a literal \u2028 or \u2029 in the encoded JSON so it can be
used by JavaScript.

Right.  That's what json.HTMLEscape is for.

Russ

[bradfitz, 2011-05-16 18:20:03]

*** Abandoned ***

[rsc1, 2011-05-16 18:23:07]

Why did this get abandoned?
It seems worth doing, just in json.HTMLEscape.

[bradfitz, 2011-05-16 18:29:43]

Whoops, meant to hg change -D, not -d.

I was feeling argumentative about doing it by default (in Encode and Compact
for people who implement json.Marshaler) and wanted to see how much I cared
later.  Your "I don't care much what web apps do" comment made me feel I
should just drop it.

json.HTMLEscape is intended for people writing JavaScript into <script> tags
in html bodies, not for responses like:

HTTP/1.0 200 OK
Content-Type: application/json

myCallback({"foo": "bar"})

... I don't think people would use HTMLEscape in that context.  I certainly
never do.  I just JSON encode right to my http.ResponseWriter after I've
written "myCallback(".

Having to do all my JSON encoding into a bytes.Buffer first and then to my
ResponseWriter feels lame and therefore I lost interest.

If anything json.HTMLEscape (a weird name for JSONP too) or
json.JavascriptEscape should be a io.Writer->io.Writer instead of a
bytes.Buffer interface.


On Mon, May 16, 2011 at 11:23 AM, Russ Cox <rsc@google.com> wrote:

> Why did this get abandoned?
> It seems worth doing, just in json.HTMLEscape.
>