Loading ...
Sorry, an error occurred while loading the content.

Re: JSON string possible escape character problem

Expand Messages
  • Douglas Crockford
    ... The string appears to be properly escaped from JSON s perspective. Your problem lies elsewhere. I think it is extremely unwise to pass strings received
    Message 1 of 7 , Mar 23, 2009
    • 0 Attachment
      --- In json@yahoogroups.com, "violinssoundcool" <violinssoundcool@...> wrote:
      >
      > Hi. I'm using JSON with JQGrid in an inquiry program. I'm building a JSON string with the server-side program, and the string contains an HTML hyperlink tag. Thus, the string should look something like this:
      >
      > {"rows":[
      > {"divisionNumber":"4","divisionName":"<a href=\"inv0004?productGroup=\"WFB\"&division=\"4\">MONTGOMERY - NEW STEEL</a>","onHandWeight":"336660.28","percentOfTotal":"3.74","perLbCost":".45","avgMonthlyWeight":"223615","monthsSupply":"3.37","turnoverRate":"4.69"}]}
      >
      > This string works enough. The link show up, but when I click on it, it takes me to a URL of "inv0004?productGroup=". Is there another character that needs to be escaped?


      The string appears to be properly escaped from JSON's perspective. Your problem lies elsewhere.

      I think it is extremely unwise to pass strings received from the network into innerHTML. That pattern is insecure.
    • Stephen M. McKamey
      Sorry typo, that HTML quote entity should not have the e on the end: "
      Message 2 of 7 , Mar 23, 2009
      • 0 Attachment
        Sorry typo, that HTML quote entity should not have the e on the end: "

        --- In json@yahoogroups.com, "Stephen M. McKamey" <jsonml@...> wrote:
        >
        > It's valid JSON but not HTML. You're effectively closing the href attribute with the first \" in the URL.
        >
        > First off, it's is going to be an issue because you're nesting unescaped quotes in a quoted string. To do that in a JSON string you'd need an extra backslash to escape the backslash. '\"' becomes '\\"'. But in HTML, you'd actually need to encode a quote with '"e;'
        >
        > But your next problem is URLs aren't supposed to have unescaped quotes. You should instead replace '\"' with '%22'.
        >
        > It looks like the root of your issue is that you're using string concatenation to build up your result rather than proper encoding.
        >
        > --- In json@yahoogroups.com, "violinssoundcool" <violinssoundcool@> wrote:
        > >
        > > Hi. I'm using JSON with JQGrid in an inquiry program. I'm building a JSON string with the server-side program, and the string contains an HTML hyperlink tag. Thus, the string should look something like this:
        > >
        > > {"rows":[
        > > {"divisionNumber":"4","divisionName":"<a href=\"inv0004?productGroup=\"WFB\"&division=\"4\">MONTGOMERY - NEW STEEL</a>","onHandWeight":"336660.28","percentOfTotal":"3.74","perLbCost":".45","avgMonthlyWeight":"223615","monthsSupply":"3.37","turnoverRate":"4.69"}]}
        > >
        > > This string works enough. The link show up, but when I click on it, it takes me to a URL of "inv0004?productGroup=". Is there another character that needs to be escaped?
        > >
        >
      • violinssoundcool
        You re totally right. Wow. I honestly can t believe I missed that. I m no genius, but I didn t think I was a complete idiot until now. I removed the
        Message 3 of 7 , Mar 23, 2009
        • 0 Attachment
          You're totally right. Wow. I honestly can't believe I missed that. I'm no genius, but I didn't think I was a complete idiot until now. I removed the unnecessary quotes, and it works great now. So, in the end, it looks like this:

          {"rows":[
          {"divisionNumber":"4","divisionName":"<a
          href=\"inv0004?productGroup=WFB&division=4\">MONTGOMERY - NEW
          STEEL</a>",...}]}
        • violinssoundcool
          By the way, thanks for taking the time to respond to my post.
          Message 4 of 7 , Mar 23, 2009
          • 0 Attachment
            By the way, thanks for taking the time to respond to my post.
          Your message has been successfully submitted and would be delivered to recipients shortly.