fromJson should not eva() without check

[Ben Blank]

Currently, the fromJson method blindly eval()s any string passed to it, a potentially dangerous operation (depending on the string's source, it could easily contain injected code). A simple RegExp check can be used to prevent this: any string which does not match

`/^(?:[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|"(?:\\.|[^"\\])*")*$/` 

is not valid JSON and should not be eval()ed. (Note that the reverse is not true; that expression can match invalid JSON, but it at least won't be malicious — no function calls, control structures, etc.)

Adding the line

`if (!/^(?:[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]|"(?:\\.|[^"\\])*")*$/.test(json)) throw "invalid JSON";` // (or some such) 

to fromJson would prevent this kind of script injection. It is also a cheap operation: it only traverses the string once and fails early if an invalid character is found.

[dante]

providing a secure JSON path is on the radar, but we can't do it in fromJson because of backward compatibility. There is already a secure parser in dojox.secure.

Perhaps:

dojo.fromJsonSecure = function(json){
    if(!/thatregexp/.test(json){
       return dojo.fromJson.apply(dojo, arguments);
    }
}

would be a small base addition worth providing?

[dante]

Additionally, making XHR and friends json-safe would be a matter of making a new contentHandler:

d.contentHandlers["json-secure"] = function(xhr){
    return dojo.fromJsonSecure(xhr.responseText);
}

[Kris Zyp]

(In [22926]) Added dojox.secure.fromJson for safe JSON parsing, fixes #10333, refs #8111