Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider escaping lone surrogates #13

Closed
mathiasbynens opened this issue Sep 24, 2018 · 5 comments
Closed

Consider escaping lone surrogates #13

mathiasbynens opened this issue Sep 24, 2018 · 5 comments

Comments

@mathiasbynens
Copy link

Lone surrogates are not valid in UTF-16 or UTF-8, and can be (and have been) used to break such parsers. To protect against this, just escape them.

FWIW, I worked on https://github.com/mathiasbynens/jsesc which shares devalue’s security goals (although it does not compete with devalue, as it doesn’t aim to support cycles).

@Rich-Harris
Copy link
Owner

Thanks! I opened #17, but I have to confess I don't really know what I'm doing. Does it look like a reasonable solution? Essentially it replaces JSON.stringify with a stringifyString function that behaves equivalently (in theory) except for the handling of lone surrogates.

@mathiasbynens
Copy link
Author

Note that with https://github.com/tc39/proposal-well-formed-stringify, JSON.stringify should behave equivalently (modulo casing for hex digits in escape sequences). V8 v7.2.10 / Chrome 72 implements this.

Rich-Harris added a commit that referenced this issue Oct 26, 2018
@mathiasbynens
Copy link
Author

Closing now that #17 is merged. Cheers, Rich!

@mathiasbynens
Copy link
Author

Would jsesc make sense in this list? https://github.com/Rich-Harris/devalue#see-also

@Rich-Harris
Copy link
Owner

yeah! added it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants