2

I have a web app in which I allow some large text entry using text fields. This text is saved to a database and then later it is sent back to the user as a field in a JSON response. In the browser, I attempt to simply convert it to an Object using JSON.parse, but this sometimes fails depending on what the user put in the field.

I think that right now, the text has single quotes in it, and those are breaking the browser-side Javascript before I can call JSON.parse on it.

What's the best way to sanitize this data so that, ideally, I can just parse it back to an Object with minimal cleansing after it has been saved?

Ryan
  • 7,317
  • 8
  • 55
  • 97
  • can you combine this with php? – t q Jan 02 '13 at 16:47
  • You should not sanitize input. You need to make sure your JSON is well formed by using one of the standard JSON writers. – Ilia G Jan 02 '13 at 16:47
  • The problem lies with whatever it is you're using to **encode** the JSON at the server. (It's almost certainly not a single-quote character problem, as JSON strings must be quoted with double-quotes, not single-quotes.) – Pointy Jan 02 '13 at 16:47

2 Answers2

5

This isn't a sanitization problem : you can very well put a string with quotes in JSON : the encoding simply escapes them.

Your problem is an encoding one. To build a JSON string in a browser, use JSON.stringify. To do it server side, you should use the tool provided by your (unmentionned) server side language/framework.

Denys Séguret
  • 355,860
  • 83
  • 755
  • 726
2

The awesome thing with JSON is that you do not need to sanitize anything. No matter what you feed to a JSON encoder - it will always output plain JSON. Obviously that JSON needs to be HTML-encoded in case you plan to use it within a HTML page. Depending on the JS encoder you need to ensure there's no </script> in there (e.g. by replacing / with \/).

You also do not need JSON.parse. JSON is a subset of JavaScript so you can do something like that (PHP-ish for simplicity):

<script>
    var obj = <?= json_encode($whatever) ?>;
</script>

If you really want to include JSON as as tring inside JSON consider not doing it. You can just have the object itself there - no need to have a JSON string within your JSON data. But if you have this anyway it should also always work.

ThiefMaster
  • 298,938
  • 77
  • 579
  • 623
  • From the question ("it is sent back to the user as a field in a JSON response") I gather the JSON isn't included in an HTML file (but I'm not 100% sure as some parts of the question are fuzzy). – Denys Séguret Jan 02 '13 at 16:51
  • Hey bro, what do you think about [this question](http://stackoverflow.com/q/14126198/601179) won't it be better to delete it, it became a mass. :( and there are no good answers so, it won't be a great lost for SO... – gdoron is supporting Monica Jan 02 '13 at 18:06