jsonencoding
v1.0.0
Published
Module to safely encode JSON to avoid security vulnerabilities.
Downloads
6
Maintainers
Readme
jsonencoding
This module does more escaping than specified in standard JSON. The escaping of characters like >, <, &, \u2028 and \u2029 is done to make it safe to insert the JSON inside of script tags. The extra encoding is done using Unicode code points to make the JSON string compatible with the standard JSON parsing method.
This code will result in unexpected execution of Javascript:
<script>
var foo = JSON.stringify("</script><script>alert(\'owned!\')</script>");
</script>
This code is safe:
<script>
var foo = jsonencoding.stringify("</script><script>alert(\'owned!\')</script>");
</script>
You can also encode existing JSON:
<script>
var foo = jsonencoding.encode(JSON.stringify(...));
</script>
Installation
This package is available on npm as:
npm install jsonencoding
Ackknowledgements
This code is based on the ActiveSupport JSON encoding module.