user2045806
Reputation:
Is possible to bypass my regex and execute any javascript?
Is possible to bypass my regex and execute any javascript?
function json(a){
if (/^\s*$/.test(a) ? 0 : /^[\],:{}\s\u2028\u2029]*$/
.test(a.replace(/\\["\\\/bfnrtu]/g, "@")
.replace(/"[^"\\\n\r\u2028\u2029\x00-\x08\x0a-\x1f]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")
.replace(/(?:^|:|,)(?:[\s\u2028\u2029]*\[)+/g, "")))
try{
return eval("(" + a + ")")
} catch (b) {}
g(Error("Invalid JSON string: " + a))
}
//...
json(window.name);
I believe is impossible.
Upvotes: 0
Views: 4725
Answers (2)
Reg
Reputation: 11
this
(true");alert(9);//"
is very close to a valid javascript statement and will bypass this regex.
Be careful with your regex, someone can bypass it.
Upvotes: 1
user123444555621
Reputation: 153074
That code is part of goog.json.parse, which is a fork of Crockford's json2.js allowing additional whitespace characters.
Looking at the source code, you'll find helpful comments explaining why those regexes prevent execution. That code has been battle-tested for years, so I doubt there's any holes.
Upvotes: 2
Related Questions
- JavaScript RegExp: test and exec
- Execute JavaScript for XSS without script tags
- Is my eval() safe?
- Can you still XSS against this filter?
- Is there any way to put malicious code into a regular expression?
- Javascript regexp exec doesn't work
- javascript regexp exec inconsitent
- Does this set of regular expressions FULLY protect against cross site scripting?
- Javascript: Regex code will not execute
- XSS regular expression