How to sanitize user input text so that it can be used in Javascript/JSON?

Question

I have a web app in which I allow some large text entry using text fields. This text is saved to a database and then later it is sent back to the user as a field in a JSON response. In the browser, I attempt to simply convert it to an Object using JSON.parse, but this sometimes fails depending on what the user put in the field.

I think that right now, the text has single quotes in it, and those are breaking the browser-side Javascript before I can call JSON.parse on it.

What's the best way to sanitize this data so that, ideally, I can just parse it back to an Object with minimal cleansing after it has been saved?

Answer 1

The awesome thing with JSON is that you do not need to sanitize anything. No matter what you feed to a JSON encoder - it will always output plain JSON. Obviously that JSON needs to be HTML-encoded in case you plan to use it within a HTML page. Depending on the JS encoder you need to ensure there's no </script> in there (e.g. by replacing / with \/).

You also do not need JSON.parse. JSON is a subset of JavaScript so you can do something like that (PHP-ish for simplicity):

<script>
    var obj = <?= json_encode($whatever) ?>;
</script>

---

If you really want to include JSON as as tring inside JSON consider not doing it. You can just have the object itself there - no need to have a JSON string within your JSON data. But if you have this anyway it should also always work.

Answer 2

This isn't a sanitization problem : you can very well put a string with quotes in JSON : the encoding simply escapes them.

Your problem is an encoding one. To build a JSON string in a browser, use JSON.stringify. To do it server side, you should use the tool provided by your (unmentionned) server side language/framework.