From a5df1fc41fcd5c9a72e3db7c861966fb68622e48 Mon Sep 17 00:00:00 2001
From: Misko Hevery
Date: Sat, 11 Dec 2010 10:07:10 -0800
Subject: Stricter JSON parsing, for security

---
 src/parser.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src/parser.js')

diff --git a/src/parser.js b/src/parser.js
index fec23899..47b23e7e 100644
--- a/src/parser.js
+++ b/src/parser.js
@@ -42,12 +42,17 @@ function lex(text, parseStringsForObjects){
       readNumber();
     } else if (isIdent(ch)) {
       readIdent();
+      // identifiers can only be if the preceding char was a { or ,
       if (was('{,') && json[0]=='{' &&
          (token=tokens[tokens.length-1])) {
         token.json = token.text.indexOf('.') == -1;
       }
     } else if (is('(){}[].,;:')) {
-      tokens.push({index:index, text:ch, json:is('{}[]:,')});
+      tokens.push({
+        index:index, 
+        text:ch, 
+        json:(was(':[,') && is('{[')) || is('}]:,')
+      });
       if (is('{[')) json.unshift(ch);
       if (is('}]')) json.shift();
       index++;
-- 
cgit v1.2.3