Loading ...
Sorry, an error occurred while loading the content.

Re: JSON string possible escape character problem

Expand Messages
  • Douglas Crockford
    ... The string appears to be properly escaped from JSON s perspective. Your problem lies elsewhere. I think it is extremely unwise to pass strings received
    Message 1 of 7 , Mar 23, 2009
    View Source
    • 0 Attachment
      --- In json@yahoogroups.com, "violinssoundcool" <violinssoundcool@...> wrote:
      >
      > Hi. I'm using JSON with JQGrid in an inquiry program. I'm building a JSON string with the server-side program, and the string contains an HTML hyperlink tag. Thus, the string should look something like this:
      >
      > {"rows":[
      > {"divisionNumber":"4","divisionName":"<a href=\"inv0004?productGroup=\"WFB\"&division=\"4\">MONTGOMERY - NEW STEEL</a>","onHandWeight":"336660.28","percentOfTotal":"3.74","perLbCost":".45","avgMonthlyWeight":"223615","monthsSupply":"3.37","turnoverRate":"4.69"}]}
      >
      > This string works enough. The link show up, but when I click on it, it takes me to a URL of "inv0004?productGroup=". Is there another character that needs to be escaped?


      The string appears to be properly escaped from JSON's perspective. Your problem lies elsewhere.

      I think it is extremely unwise to pass strings received from the network into innerHTML. That pattern is insecure.
    • Stephen M. McKamey
      Sorry typo, that HTML quote entity should not have the e on the end: "
      Message 2 of 7 , Mar 23, 2009
      View Source
      • 0 Attachment
        Sorry typo, that HTML quote entity should not have the e on the end: "

        --- In json@yahoogroups.com, "Stephen M. McKamey" <jsonml@...> wrote:
        >
        > It's valid JSON but not HTML. You're effectively closing the href attribute with the first \" in the URL.
        >
        > First off, it's is going to be an issue because you're nesting unescaped quotes in a quoted string. To do that in a JSON string you'd need an extra backslash to escape the backslash. '\"' becomes '\\"'. But in HTML, you'd actually need to encode a quote with '"e;'
        >
        > But your next problem is URLs aren't supposed to have unescaped quotes. You should instead replace '\"' with '%22'.
        >
        > It looks like the root of your issue is that you're using string concatenation to build up your result rather than proper encoding.
        >
        > --- In json@yahoogroups.com, "violinssoundcool" <violinssoundcool@> wrote:
        > >
        > > Hi. I'm using JSON with JQGrid in an inquiry program. I'm building a JSON string with the server-side program, and the string contains an HTML hyperlink tag. Thus, the string should look something like this:
        > >
        > > {"rows":[
        > > {"divisionNumber":"4","divisionName":"<a href=\"inv0004?productGroup=\"WFB\"&division=\"4\">MONTGOMERY - NEW STEEL</a>","onHandWeight":"336660.28","percentOfTotal":"3.74","perLbCost":".45","avgMonthlyWeight":"223615","monthsSupply":"3.37","turnoverRate":"4.69"}]}
        > >
        > > This string works enough. The link show up, but when I click on it, it takes me to a URL of "inv0004?productGroup=". Is there another character that needs to be escaped?
        > >
        >
      • Tatu Saloranta
        On Mon, Mar 23, 2009 at 12:53 PM, Stephen M. McKamey wrote: ... This does seem to be the case, and if so, I agree that it s time to use a
        Message 3 of 7 , Mar 23, 2009
        View Source
        • 0 Attachment
          On Mon, Mar 23, 2009 at 12:53 PM, Stephen M. McKamey <jsonml@...> wrote:
          ...
          > It looks like the root of your issue is that you're using string concatenation to build up your result rather than proper encoding.

          This does seem to be the case, and if so, I agree that it's time to
          use a proper json encoder.

          Just as with xml, one should never use plain old string concatenation
          for producing content. Sometimes it's necessary to create/edit json
          (xml) by hand, but if it's done programmatically, proper tools should
          be used.
          Same goes for parsing, too, but most developers pick up that side more
          easily. :)

          -+ Tatu +-
        • violinssoundcool
          You re totally right. Wow. I honestly can t believe I missed that. I m no genius, but I didn t think I was a complete idiot until now. I removed the
          Message 4 of 7 , Mar 23, 2009
          View Source
          • 0 Attachment
            You're totally right. Wow. I honestly can't believe I missed that. I'm no genius, but I didn't think I was a complete idiot until now. I removed the unnecessary quotes, and it works great now. So, in the end, it looks like this:

            {"rows":[
            {"divisionNumber":"4","divisionName":"<a
            href=\"inv0004?productGroup=WFB&division=4\">MONTGOMERY - NEW
            STEEL</a>",...}]}
          • violinssoundcool
            By the way, thanks for taking the time to respond to my post.
            Message 5 of 7 , Mar 23, 2009
            View Source
            • 0 Attachment
              By the way, thanks for taking the time to respond to my post.
            Your message has been successfully submitted and would be delivered to recipients shortly.