2

I have a web app in which I allow some large text entry using text fields. This text is saved to a database and then later it is sent back to the user as a field in a JSON response. In the browser, I attempt to simply convert it to an Object using JSON.parse, but this sometimes fails depending on what the user put in the field.

I think that right now, the text has single quotes in it, and those are breaking the browser-side Javascript before I can call JSON.parse on it.

What's the best way to sanitize this data so that, ideally, I can just parse it back to an Object with minimal cleansing after it has been saved?

Ryan
  • 7,733
  • 10
  • 61
  • 106
  • can you combine this with php? – t q Jan 02 '13 at 16:47
  • You should not sanitize input. You need to make sure your JSON is well formed by using one of the standard JSON writers. – Ilia G Jan 02 '13 at 16:47
  • The problem lies with whatever it is you're using to **encode** the JSON at the server. (It's almost certainly not a single-quote character problem, as JSON strings must be quoted with double-quotes, not single-quotes.) – Pointy Jan 02 '13 at 16:47

2 Answers2

6

This isn't a sanitization problem : you can very well put a string with quotes in JSON : the encoding simply escapes them.

Your problem is an encoding one. To build a JSON string in a browser, use JSON.stringify. To do it server side, you should use the tool provided by your (unmentionned) server side language/framework.

Denys Séguret
  • 372,613
  • 87
  • 782
  • 758
2

The awesome thing with JSON is that you do not need to sanitize anything. No matter what you feed to a JSON encoder - it will always output plain JSON. Obviously that JSON needs to be HTML-encoded in case you plan to use it within a HTML page. Depending on the JS encoder you need to ensure there's no </script> in there (e.g. by replacing / with \/).

You also do not need JSON.parse. JSON is a subset of JavaScript so you can do something like that (PHP-ish for simplicity):

<script>
    var obj = <?= json_encode($whatever) ?>;
</script>

If you really want to include JSON as as tring inside JSON consider not doing it. You can just have the object itself there - no need to have a JSON string within your JSON data. But if you have this anyway it should also always work.

ThiefMaster
  • 310,957
  • 84
  • 592
  • 636
  • From the question ("it is sent back to the user as a field in a JSON response") I gather the JSON isn't included in an HTML file (but I'm not 100% sure as some parts of the question are fuzzy). – Denys Séguret Jan 02 '13 at 16:51
  • Hey bro, what do you think about [this question](http://stackoverflow.com/q/14126198/601179) won't it be better to delete it, it became a mass. :( and there are no good answers so, it won't be a great lost for SO... – gdoron Jan 02 '13 at 18:06