javascript - 应该使用 jQuery 的 parseJSON/getJSON 方法吗？

Question

我注意到 jQuery parseJSON 基本上做了一个简单的正则表达式“检查”:

parseJSON: function( data ) {
    if ( typeof data !== "string" || !data ) {
        return null;
    }

    // Make sure leading/trailing whitespace is removed (IE can't handle it)
    data = jQuery.trim( data );

    // Make sure the incoming data is actual JSON
    // Logic borrowed from http://json.org/json2.js
    if ( /^[\],:{}\s]*$/.test(data.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")
        .replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")
        .replace(/(?:^|:|,)(?:\s*\[)+/g, "")) ) {

        // Try to use the native JSON parser first
        return window.JSON && window.JSON.parse ?
            window.JSON.parse( data ) :
            (new Function("return " + data))();

    } else {
        jQuery.error( "Invalid JSON: " + data );
    }
},

如果它通过了“检查”并且它是一个现代浏览器，则使用 native JSON 解析器。否则，我假设像 IE6 这样的浏览器会自动调用一个新函数并返回对象。

问题 #1:由于这只是一个简单的正则表达式测试，是否容易出现某种模糊的边缘情况漏洞利用？对于至少不支持原生 JSON 解析的浏览器，我们真的不应该使用一个完整的解析器吗？

问题 #2:(new Function("return "+ data ))() 相对于 eval("( "+ 文本 + ")")?

Answer 1

如评论中所述，jQuery 的 JSON 解析器直接从 json2.js“借用”了测试 JSON 字符串是否有效的逻辑。这使得它与最常见的非本地实现“一样安全”，无论如何都是相当严格的:

// In the second stage, we run the text against regular expressions that look
// for non-JSON patterns. We are especially concerned with '()' and 'new'
// because they can cause invocation, and '=' because it can cause mutation.
// But just to be safe, we want to reject all unexpected forms.

// We split the second stage into 4 regexp operations in order to work around
// crippling inefficiencies in IE's and Safari's regexp engines. First we
// replace the JSON backslash pairs with '@' (a non-JSON character). Second, we
// replace all simple value tokens with ']' characters. Third, we delete all
// open brackets that follow a colon or comma or that begin the text. Finally,
// we look to see that the remaining characters are only whitespace or ']' or
// ',' or ':' or '{' or '}'. If that is so, then the text is safe for eval.

            if (/^[\],:{}\s]*$/.
test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@').
replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']').
replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) {

我不明白的是，为什么 jQuery 在检查 native 实现之前运行正则表达式/替换，而 native 实现无论如何都会检查正确的 JSON 语法。如果 native 实现不可用，似乎只执行此操作会加快速度。

问题2是answered very well by bobince在另一个问题中:

It's not really a big difference, but the feeling is that eval is ‘worse’ than new Function. Not in terms of security — they're both equally useless in the face of untrusted input, but then hopefully your webapp is not returning untrusted JSON strings — but in terms of language-level weirdness, and hence resistance to optimisation.

查看 Nick Craver's answer还有 John Resig 的直接引述。