Stricter JSON parsing, for security

author: Misko Hevery 2010-12-11 10:07:10 -0800
committer: Misko Hevery 2010-12-11 10:07:10 -0800
commit: a5df1fc41fcd5c9a72e3db7c861966fb68622e48 (patch)
tree: 1909e42fcc197830cf27fb2797d9686a4815548d /src/parser.js
parent: ec4d446f898e7860c12a337200c31c3b75f663cc (diff)
download: angular.js-a5df1fc41fcd5c9a72e3db7c861966fb68622e48.tar.bz2
1 files changed, 6 insertions, 1 deletions
diff --git a/src/parser.js b/src/parser.js
index fec23899..47b23e7e 100644
--- a/src/parser.js
+++ b/src/parser.js
@@ -42,12 +42,17 @@ function lex(text, parseStringsForObjects){
       readNumber();
     } else if (isIdent(ch)) {
       readIdent();
+      // identifiers can only be if the preceding char was a { or ,
       if (was('{,') && json[0]=='{' &&
          (token=tokens[tokens.length-1])) {
         token.json = token.text.indexOf('.') == -1;
       }
     } else if (is('(){}[].,;:')) {
-      tokens.push({index:index, text:ch, json:is('{}[]:,')});
+      tokens.push({
+        index:index, 
+        text:ch, 
+        json:(was(':[,') && is('{[')) || is('}]:,')
+      });
       if (is('{[')) json.unshift(ch);
       if (is('}]')) json.shift();
       index++;
author	Misko Hevery	2010-12-11 10:07:10 -0800
committer	Misko Hevery	2010-12-11 10:07:10 -0800
commit	a5df1fc41fcd5c9a72e3db7c861966fb68622e48 (patch)
tree	1909e42fcc197830cf27fb2797d9686a4815548d /src/parser.js
parent	ec4d446f898e7860c12a337200c31c3b75f663cc (diff)
download	angular.js-a5df1fc41fcd5c9a72e3db7c861966fb68622e48.tar.bz2