D7: Create RFC compliant HTML safe JSON

We need to escape <>& to prevent HTML parsing issues.

Relevant RFC: http://www.ietf.org/rfc/rfc4627.txt?number=4627

json should use \uXXXX, not \xYY to escape characters.

@DamZ

Still uses \x instead of \u

I'm having a hard time finding an authorative text on JS string encoding. Is it possible to mix \uXXX and UTF-8 in a string literal?

Here's a patch against D6 for the OP to test.

It's time for some level tests about that.

Looks like this is needed for #653580: Upgrade to jQuery 1.4

Rerolling

This makes total sense.

json_decode() appears to unescape the HTML-safe characters itself (on PHP 5.2.12), so I've removed the older unescaping from drupal_json_decode(). This probably needs testing on other PHP versions.

The only test I could think of to add to the suite was to test for the escaped characters in the JSON encoded string. All the other unit tests for the JSON functions appear to pick up everything else.

Any more suggestions for the tests?

Great. Thanks, folks! :D

Committed to HEAD.

Moving down to 6.x.

Rolled a patch for D6 based on #11. It adds some characters to correctly escape in JSON in drupal_to_js(). I'd found out that JSON Server was returning un-parseable JSON because it was escaping apostrophe's, which is incorrect.

There's a handy JSON tester online to check correct formatting, which might be helpful in this thread: http://www.jsonlint.com/

I'm assuming we're sticking with drupal_to_js() in D6, and not simply changing it to:

??

Thanks Heine. Re-rolled.

I vote for str_replace() as it's pretty easy to see what's going with it. Patch attached.

\x00 is not valid in JSON; The quotation mark, reverse solidus, and the control characters (U+0000 through U+001F: \x00 through \x1f) must be escaped.

As \uXXXX escaping is always allowed, I'd vote to ditch add(c)slashes and use only one escape method.

Damn - patched against my already patched function. Here's the correct patch.

drupal_to_js failed on my site due to line Separator (U+2028). Is this related? Should we remove similar UTF-8 separators as well?

I've modified my drupal_to_js testing code from #33 to use the same escaping that D7 is using with json_encode. It generates no errors now, including the \u2028 unicode character.

Roger #37 Here is what I mean by fail: I use a JQuery ajax call and return data via drupal_to_js. The data is an array that includes several HTML regions (right-sidebar and content). Everything worked fine, until part of the data (a teaser of a post) included the UTF-8 line separator. It caused the ajax call to fail with parsererror error.

Thanks for the feedback, Heine - the single quote is now replaced with \u0027 and I've taken out replacements for \f - \t. Patch attached.

bluetegu, you're saying that in your case drupal_to_js returns a \u2028 character which ajax then couldn't parse? I think that problem lies in the ajax, rather than in drupal_to_js. See the JSON rfc at http://www.ietf.org/rfc/rfc4627.txt - particularly the bit which says, "Insignificant whitespace is allowed before or after any of the six structural characters" and then it does on to list allowed whitespace characters, including Line feed/New line/Carriage return.

Try the attached patch and see if this solves your problem?

Try running it through this function instead and see if it helps (this is how D7 does it):

That's great :) Does running it through the patched drupal_to_js (from #42) work too?

Ah, thanks - I've changed that character. Try attached patch again, please.

Roger, it works ok for me, unless I have the separator u2028 (and possibly similar separators). For this to work, you can either use my #41 or the drupal_json_encode code per #44.

re #50: when I run the following, I get \\u2028 as an output:
print json_encode("\u2028");

I get the same output when I do:
print drupal_to_js("\u2028");

Isn't this expected?

Ah yes, hexadecimal. My brain wasn't supplying me with that word - too tired.

I've re-read the RFC to see if I've missed anything. Page 4 is the relevant page for our purposes; especially the line which tells us which characters don't need to be escaped:

This means we need to escape \x00 - \x1F, \x22 (a quotation mark "), \x5C (reverse solidus), \x2F (solidus), \x62 (backspace), \x66 (form feed), \x6E (line feed), and \x72 (carriage return). I'd missed some of those - I've added them in now (and added a line in the function comments to mention these). Hopefully I've got everything?

@bluetegu, this might catch your error?

From #54, I'd thought the following characters needed to be escaped: backspace, form feed, line feed and carriage return. That's correct - they do - and as Heine pointed out in #39, all of these are already handled in \x00 - \x1f so we can just take them out here (and, I'd done the character representation incorrectly - a backspace is \b or \x5C\x62 - I'd represented it as just \x62 - which is why "The quick brown fox jumped over the lazy dog" got garbled).

So, the new lines should look like this:

I've added in \x09 and \x19 (\x10 was already there ;)

Have changed the replacement '\\\\' to '\u005C' for consistency.

As for "\'"...that's what led me to this thread in the first place - I had a node title which wasn't having correct JSON return by drupal_to_json: "This isn't a node title" was returning "This isn\'t a node title" because of the addslashes function. Since we've taken out addslashes() there's no need to replace "\'" with anything.

So ' stays ' and \' becomes \u005C' - which is what we want.

Yes?

We definitely need to escape:

Next Line (\u0085)
Line Separator (\u2028)
Paragraph Separator (\u2029)

Note that this wasn't caught by your tests above because you can't test for these by adding "\u2028" -- you have to use "\xE2\x80\xA8".

I found this issue because I copied and pasted a Paragraph Separator into a CCK label unknowingly, which broke AJAX in views (see #682778: Error: http://mysite.org/admin/build/views/ajax/add-item/comm_sites/default/field.).

I've rerolled the patch with these additions.

Quite ugly + unmaintainable. Can we use strtr() with array notion instead of str_replace() ?

Here's a hopefully cleaner version.

Hi,

The patch from #64 also works for me on a server running D6.17 and PHP 5.1.6. Marking this as RTBC as we now have two reports of the patch working.

The bug is a bit of a show-stopper for anybody not able to roll their own function using the PHP json_encode function in 5.2, so it would be great to see this patch committed soon (unless anybody spots a problem with it, of course) - running sites on patched versions of core makes me nervous!

We definitely need to escape:

Next Line (\u0085)

Why? AFAICT this character is not mentioned in ECMA-262, contrary to the two other that you mention.

Isn't html_entity_decode('&#'. $i .';', ENT_NOQUOTES, 'UTF-8') equivalent to just chr($i) when $i < 127 ?

+ $replace_pairs

Single quote is not escaped.

BTW I compared the performance of str_replace() and strtr(), and in this case strtr() seems to be much faster (i.e. it should not be changed to str_replace() in #561422: Replace strtr() with str_replace() for db prefixing):

This works as I would expect.

Gábor, are you looking for more feedback from me.. or feedback from more testers?

Additionally, when providing testing results, something more substantial than "This works as I would expect." is generally helpful for building confidence in core committers regarding the level of testing. What, specifically, were you seeing your site do before that it's not doing now? How did you explicitly go out of your way to break it that failed? What sort of kooky/unusual set-up did you try the patch on where it did not break? etc.

On a server running D6.19 and PHP 5.1.6. (so without the PHP json_encode function in PHP 5.2) supplying a JSON feed to an iphone app, the results go something like this:

Before: Plain vanilla D6.19
Example JSON output:
{ "umm": { "item": { "id": "10092", "language": "fr", "url": "http://example.com/fr/node/10092", "title": "\x3cp\x3eUn miraculé de Lourdes\x3c/p\x3e\n", etc
Result: iphone app developer sends emails along the lines of 'what's all this garbage in the feed, I can't work with this!' and storms off in a huff!

After: Patched D6.19 with the patch in #71
Example JSON output:
{ "umm": { "item": { "id": "10092", "language": "fr", "url": "http:\u002f\u002fexample.com\u002ffr\u002fnode\u002f10092", "title": "\u003cp\u003eUn miraculé de Lourdes\u003c\u002fp\u003e\u000a", etc
Result: Less disgruntled iphone app developer!

As well as encoding tags in \uXXX format as opposed to the problematic \x format, the slashes in the url item are encoded, which didn't happen before applying the patch (but that's just an observation, not a problem, as far as I can see).

#6: do-479368-u-escape-sequences.patch queued for re-testing.

@rlnorthcutt

Thats a good start

We are dealing with a number of circumstances:

• At least two different parsers may process the JSON (drupal_add_js setting):
  • HTML parser
  • JSON parser
• Clients we have no control over need to interpret the JSON: jquery versions, iphone apps, .NET classes, world+dog

This means we need to produce RFC4627 compliant JSON that, at the same time, will not have certain 'special characters' such as ', ", <, > and & be interpreted by an HTML parser.

As RFC4627-2.5 clearly states that "Any character may be escaped", we can avoid special treatment of characters ', ", <, > and & by an HTML parser through simple substitution with a Unicode escape sequence (\uXXXX).

A number of characters MUST be escaped for the JSON parser. These are:

• "
• \
• U+0000 - U+001F

For a number of characters (eg "), it is possible to choose the escape form and either precede them with a backslash (JSON Escape Sequence, eg \"), or use the \uXXXX (Unicode escape sequence, eg \u0027) form. HOWEVER, because we also need to deal with the HTML parser, _it_ may interpret the quote before the the JSON parser even has the chance to run. Because of this, it is advisable to use the Unicode escape sequence (\uXXXX) here as well.

Right now, drupal_to_js is not RFC4627 compliant. This causes problems with a number of non-core JSON consumers.

Violations:

• Control characters such as U+001F are not escaped
• It uses the undefined escape sequence \xXX, which only works on certain JSON implementations (likely, only JS eval)
• It improperly uses the non-existing JSON escape sequence \0 for the 0 byte instead of the Unicode escape sequence \u0000

Additional problem:

• It risks interpretation of certain characters as special by the HTML parser due to its use of addslashes (\")

Now, enough about the problems of the current implementation, on to the patch.

It correctly escapes U+0000 - U+001F (Ascii 0 - 31) and the potential special HTML characters.

AFAIK we do not have to escape /, U+2028 and U+2029 according to the specs, but naive JSON parsers (eval) may have trouble with it.

As there's no harm in escaping these characters, I've kept them in the revised patch. All this reroll did was to expand the U+0000 - U+001f range and add comments.

Back to D7 for \, ", ' and / that we don't escape there.

json_encode uses JSON escape sequences (\") instead of our preferred Unicode escape sequences (\uXXXX). As json_encode in PHP 5.2.x doesn't have support for the $options array, we need to ditch the function and implement json_encoding ourselves again.

Because we do not want to escape all quotes.

"key" : "value"

Quotes in key and value need to be escaped, but we have to leave the significant quots wrapping the key and value alone.

We can't use check_plain either, because the result of drupal_json_encode has to be consumed by pure JSON parsers.

If the postprocessing of \ and / is really necessary, we should open a feature request against PHP to add support for that in later versions.

This seems to have stalled.. What still needs to be done?

I think we can get away with not escaping \ and / as they are not special in HTML. (/ at least not when not in in the </ or /> combo, and < and > are escaped).

(patch contains a BOM, so it's also a test for the test infrastructure)

Lovely, json_encode options produce \uXXXX vs. \uxxxx. Adjusting both test and drupal_encode_json_helper to test and produce uppercase hexadecimals.

Tested #71 with jQuery 1.4.2.

Now I got:

instead of:

Subscribing. Thanks

Thanx Heine for letting us know.

btw, patches in #88 and #89 got accidentally named 479468 instead of 479368

Just for reference, there is a working patch for tabledrag.js at http://drupal.org/node/893538

On instigation by chx; needs a test for drupal_json_helper as well or we lose coverage on PHP 5.3 testservers.

#71: 479368_drupal_to_js_all_escaped.patch queued for re-testing.

Better title.

This issue is most urgent for D6 and interaction with external JSON consumers:

drupal_json_encode produces JSON that risks being interpreted by HTML parsers (\" escape sequences).
drupal_to_js (D6) produces total garbage for RFC compliant parsers (iPhone, random APIs, later jQuery versions).

Crosspost

Drupal 6 backport with a testbot safe name.

that's just the problem i was trying to solve, a U+2028 character breaking Views Ajax filtering in a D6 site. i applied the last patch from #127 and it just shifted the issue - instead of getting a failure on the Ajax call, there's a syntax error later on when it tries to use the response result. i had to change these lines:

i think the gist of this may be outside the scope of this issue, but i can try to make a simpler test case if anyone would want to see it.

#71: 479368_drupal_to_js_all_escaped.patch queued for re-testing.

brad, do you know the exact location of the syntax error? This might be a problem that should be solved by not offering e2 80 a8 and friend in _this_ response in the first place.

Yes, then the problem IMO is in the entity calling drupal_json. callback should be a valid JS callback.

Do the d.o infrastructure have PHP 5.3 slaves? Anyway this good to go

The last submitted patch, do479368-drupal_json_encode.patch, failed testing.

my patch :)

okay, as per requested by the testing module, patch will just escape <, > and & only.

The last submitted patch, drupal_json_encode.patch, failed testing.

The last submitted patch, drupal_json_encode.patch, failed testing.

#146: drupal_json_encode.patch queued for re-testing.

Here's that reroll of #119 for D7. (Edit: missed the changes from #152.)

Setting to 7.x temporarily to test the D7 patch with the single quote added.

#157 passes, so moving back to 8.x.

In #152, I don't understand why the double quote is excluded from the patch. I mean, I see that earlier tests broke with it, but is there a logical reason it's excluded?

Looking over it again, I think #157 needs the single quote added to the helper test's $html_unsafe in addition to the change catch suggests. Also, the same question about the double quote applies there. The 5.3 call to json_encode() includes the double quote as an argument, but the 5.2 switch statement does not include it in the same section as < > ' &.

i just copied the code from php.net documentation

i dont know why it fails when i include it in simpletests, thats why i removed it.. i guess its a simpletest bug or something?

Let's try this.

Oh, $json is getting re-defined as an array and not just the string. We need to test the string delimiters only before this. Reusing the same var seems not-best-practice, but I guess that'd be a separate issue.

#152: drupal_json_encode.patch queued for re-testing.

A taxonomy patch just went in, switching to drupal_implode_tags().

So I guess it is maybe failing because the str_replace() in drupal_implode_tags() matches double quotes and not the encoded variant? Do we need to patch that function as well? I don't think not encoding double quotes should be an option.

Attached is the same as #170, but adjusts the taxonomy test to match encoded rather than escaped double quotes wrapping the term.

Just a comment fix to match #119.

Thanx Jess for your hard work on this ;)

Summary added.

Comment fix to D8 to bring it in line with @sun's comment change recommendation, plus an additional comment clarifying the use of \u0022 in the taxonomy autocomplete test.

#189: json-encode-d8-479368-189.patch queued for re-testing.

Rerolled for core/.

Is this correct for D8?

Fixed.

Attached creates a new file, json-encode.inc. This is for D7 only.

The JSON and taxonomy autocomplete tests pass locally with PHP 5.2. Setting to D7 temporarily to make sure this patch passes the full test suite for D7.

The D8 patch is still in #197.

This is good to go.

I reviewed this patch and it looks good. However, it needs a quick re-roll for the 'core'-directory changes.

Oops, you're right xjm. Committed to 8.x and moving to 7.x for @webchick.

Oopsie. Marking down to D6.

...minor title edit to make this clear(er) + removing the backport tag.

But after upgrading to D7.12, I have some problems with my ajax interface, which after ajax-reload returns html with russian textes. I use ajax_command_html for ajax output with php 5.2.17.
I've tried to use old version of the drupal_json_encode() function and it looks good...
and drupal_json_encode_helper() returns abracadabra instead of the normal readable text.
I think the problem is in drupal_json_encode_helper() function, lines 23-77...
But I'm not sure...