1

I have problem to convert back json string containing double quote to javascript object in JSON.parse(). Here is details below.

  1. I have a object saved in variable groupdatain nodejs app.js

    [{"_id":"56adb85319dec52455d11c21","fullName":"NY Metro Office 365 What New\" group","createdAt":"2015-08-25T17:03:59.000Z","stats":{"members":65}}]

  2. In my nodejs app.js code, groupdata object is passed to client as a json string.

    function doRender() { res.render('groupdata', { 'groupdata': JSON.stringify(groupdata) }); }

  3. My client code tries to prevent XSS attack first by function htmlDecode() then JSON.parse() a valid json string to object.

JSON.parse(test1) will succeed if only the string does not contain double quote. JSON.parse(test2) will fail as error below 

     function htmlDecode(input){  //prevent XSS attack;
         var e = document.createElement('div');
         e.innerHTML = input;
         return e.childNodes.length === 0 ? "" : e.childNodes[0].nodeValue;
     }
     console.log('groupdata: ' + "<%= groupdata %>");
     var test1 = htmlDecode("<%= (groupdata) %>");
     console.log('test1: ' + test1);
     var test2 = htmlDecode("<%= JSON.stringify(groupdata) %>");
     console.log('test2: ' + test2);
     JSON.parse(test1);  // Succeed if only test1 value contains no double quote
     JSON.parse(test2);  // ERROR: Uncaught SyntaxError: Unexpected token _

The console log in client chrome browser:

groupdata: [{&#34;_id&#34;:&#34;56adb85319dec52455d11c21&#34;,&#34;fullName&#34;:&#34;NY Metro Office 365 What New&#34; group&#34;,&#34;createdAt&#34;:&#34;2015-08-25T17:03:59.000Z&#34;,&#34;stats&#34;:{&#34;members&#34;:65}}]
test1: [{"_id":"56adb85319dec52455d11c21","fullName":"NY Metro Office 365 What New" group","createdAt":"2015-08-25T17:03:59.000Z","stats":{"members":65}}]
test2: "[{"_id":"56adb85319dec52455d11c21","fullName":"NY Metro Office 365 What New\" group","createdAt":"2015-08-25T17:03:59.000Z","stats":{"members":65}}]"

Question: How can I convert json string with double quote to javascript object in this case?

Improve this question
4
  • You should JSON.parse before doing anything with the data. And you should always JSON.parse inside try catch because it throws an exception if somethings goes wrong, and you do not want this to stop your server. After you parsed the data, you can htmlDecode the fullName for example. Commented Jan 31, 2016 at 19:49
  • I fully understand that JSON.parse should be done at first, but I also perceive that in EJS, I need to use <script> var myVar = <%- JSON.stringify(myVar) %>; </script> to pass myVar to client side javascript. However, This exposes to XSS attack and I do need to decode the string before JSON.parse(). I wonder how to accomplish both requirements? Commented Jan 31, 2016 at 21:28
  • Maybe like this? stackoverflow.com/a/18106721/387573 Commented Jan 31, 2016 at 21:42
  • @migg I had a look at this but it didn't work out first time. Now I tried again and it actually works! Perhaps I did something wrong originally. This is so much cleaner than manual html decoding. Thank you so much migg! I will post my result here once the code is ready. Commented Feb 1, 2016 at 7:23

1 Answer 1

Reset to default
2

It turns out that EJS has its own way to htmlescape to protect from XSS attack

    <script type="text/javascript">
     var groupdata = <%- JSON.stringify(groupdata); %>
    </script>

This is simple and clean. Thanks to @migg again for his commenting.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I am getting expression expected error while using Webstorm, however the code is running fine.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.