Stricter JSON parsing, for security

author: Misko Hevery 2010-12-11 10:07:10 -0800
committer: Misko Hevery 2010-12-11 10:07:10 -0800
commit: a5df1fc41fcd5c9a72e3db7c861966fb68622e48 (patch)
tree: 1909e42fcc197830cf27fb2797d9686a4815548d /test/JsonSpec.js
parent: ec4d446f898e7860c12a337200c31c3b75f663cc (diff)
download: angular.js-a5df1fc41fcd5c9a72e3db7c861966fb68622e48.tar.bz2
1 files changed, 12 insertions, 0 deletions
diff --git a/test/JsonSpec.js b/test/JsonSpec.js
index f0019bef..ba3366e5 100644
--- a/test/JsonSpec.js
+++ b/test/JsonSpec.js
@@ -151,6 +151,18 @@ describe('json', function(){
       expect(function(){fromJson('[].constructor');}).
         toThrow(new Error("Parse Error: Token '.' is not valid json at column 3 of expression [[].constructor] starting at [.constructor]."));
     });
+    
+    it('should not allow object dereference', function(){
+      expect(function(){fromJson('{a:1, b: $location, c:1}');}).toThrow();
+      expect(function(){fromJson("{a:1, b:[1]['__parent__']['location'], c:1}");}).toThrow();
+    });
+    
+    it('should not allow assignments', function(){
+      expect(function(){fromJson("{a:1, b:[1]=1, c:1}");}).toThrow();
+      expect(function(){fromJson("{a:1, b:=1, c:1}");}).toThrow();
+      expect(function(){fromJson("{a:1, b:x=1, c:1}");}).toThrow();
+    });
+    
   });
 
 });
author	Misko Hevery	2010-12-11 10:07:10 -0800
committer	Misko Hevery	2010-12-11 10:07:10 -0800
commit	a5df1fc41fcd5c9a72e3db7c861966fb68622e48 (patch)
tree	1909e42fcc197830cf27fb2797d9686a4815548d /test/JsonSpec.js
parent	ec4d446f898e7860c12a337200c31c3b75f663cc (diff)
download	angular.js-a5df1fc41fcd5c9a72e3db7c861966fb68622e48.tar.bz2