Merge pull request #204 from g-k/add-escape-json

Add escape json

Author: nlf

API.md

@@ -26,6 +26,7 @@
 * [Escaping Characters](#escaping-characters "Escaping Characters")
   * [escapeHtml](#escapehtmlstring "escapeHtml")
   * [escapeHeaderAttribute](#escapeheaderattributeattribute "escapeHeaderAttribute")
+  * [escapeJson](#escapejsonstring "escapeJson")
   * [escapeRegex](#escaperegexstring "escapeRegex")
 * [Errors](#errors "Errors")
   * [assert](#assertcondition-message "assert")
@@ -412,6 +413,15 @@ Escape attribute value for use in HTTP header
 var a = Hoek.escapeHeaderAttribute('I said "go w\\o me"');  //returns I said \"go w\\o me\"
 ```
 
+### escapeJson(string)
+
+Unicode escapes the characters `<`, `>`, and `&` to prevent mime-sniffing older browsers mistaking JSON as HTML, and escapes line and paragraph separators for JSONP and script contexts.
+
+```javascript
+
+var lineSeparator = String.fromCharCode(0x2028);
+var a = Hoek.escapeJson('I said <script>confirm(&).' + lineSeparator);  //returns I said \\u003cscript\\u003econfirm(\\u0026).\\u2028
+```
 
 ### escapeRegex(string)
 

lib/escape.js

@@ -53,6 +53,40 @@ exports.escapeHtml = function (input) {
 };
 
 
+exports.escapeJson = function (input) {
+
+    if (!input) {
+        return '';
+    }
+
+    const lessThan = 0x3C;
+    const greaterThan = 0x3E;
+    const andSymbol = 0x26;
+    const lineSeperator = 0x2028;
+
+    // replace method
+    let charCode;
+    return input.replace(/[<>&\u2028\u2029]/g, (match) => {
+
+        charCode = match.charCodeAt(0);
+
+        if (charCode === lessThan) {
+            return '\\u003c';
+        }
+        else if (charCode === greaterThan) {
+            return '\\u003e';
+        }
+        else if (charCode === andSymbol) {
+            return '\\u0026';
+        }
+        else if (charCode === lineSeperator) {
+            return '\\u2028';
+        }
+        return '\\u2029';
+    });
+};
+
+
 internals.escapeJavaScriptChar = function (charCode) {
 
     if (charCode >= 256) {

lib/index.js

@@ -843,6 +843,10 @@ exports.escapeJavaScript = function (string) {
     return Escape.escapeJavaScript(string);
 };
 
+exports.escapeJson = function (string) {
+
+    return Escape.escapeJson(string);
+};
 
 exports.nextTick = function (callback) {
 

test/escaper.js

@@ -88,3 +88,93 @@ describe('escapeHtml()', () => {
         done();
     });
 });
+
+describe('escapeJson()', () => {
+
+    it('encodes < and > as unicode escaped equivalents', (done) => {
+
+        const encoded = Hoek.escapeJson('<script><>');
+        expect(encoded).to.equal('\\u003cscript\\u003e\\u003c\\u003e');
+        done();
+    });
+
+    it('doesn\'t encode \0 as hex escaped equivalent', (done) => {
+
+        const encoded = Hoek.escapeJson('\0');
+        expect(encoded).to.equal('\0');
+        done();
+    });
+
+    it('encodes & (ampersand) as unicode escaped equivalent', (done) => {
+
+        const encoded = Hoek.escapeJson('&&');
+        expect(encoded).to.equal('\\u0026\\u0026');
+        done();
+    });
+
+    it('encodes line seperator as unicode escaped equivalent', (done) => {
+
+        const lineSeparator = String.fromCharCode(0x2028);
+        const encoded = Hoek.escapeJson(lineSeparator);
+        expect(encoded).to.equal('\\u2028');
+        done();
+    });
+
+    it('encodes paragraph seperator as unicode escaped equivalent', (done) => {
+
+        const paragraphSeparator = String.fromCharCode(0x2029);
+        const encoded = Hoek.escapeJson(paragraphSeparator);
+        expect(encoded).to.equal('\\u2029');
+        done();
+    });
+
+    it('doesn\'t encode U+13F0 Cherokee Letter Ye as unicode escaped equivalent', (done) => {
+
+        const encoded = Hoek.escapeJson('Ᏸ');
+        expect(encoded).to.equal('Ᏸ');
+        done();
+    });
+
+    it('doesn\'t encode U+1F4A9 PILE OF POO as unicode escaped equivalent', (done) => {
+
+        const encoded = Hoek.escapeJson('💩');
+        expect(encoded).to.equal('💩');
+        done();
+    });
+
+    it('doesn\'t encode U+1D306 TETRAGRAM FOR CENTRE as unicode escaped equivalent', (done) => {
+
+        const encoded = Hoek.escapeJson('𝌆');
+        expect(encoded).to.equal('𝌆');
+        done();
+    });
+
+    it('doesn\'t encode \\ (backslash)', (done) => {
+
+        const encoded = Hoek.escapeJson('\\');
+        expect(encoded).to.equal('\\');
+        done();
+    });
+
+    it('doesn\'t throw an exception when passed null', (done) => {
+
+        const encoded = Hoek.escapeJson(null);
+        expect(encoded).to.equal('');
+        done();
+    });
+
+    it('doesn\'t encode {} characters', (done) => {
+
+        const encoded = Hoek.escapeJson('{}');
+        expect(encoded).to.equal('{}');
+        done();
+    });
+
+    it('doesn\'t encode / (slash) character', (done) => {
+
+        const encoded = Hoek.escapeJson('<script>alert(1)</script>');
+        expect(encoded).to.equal('\\u003cscript\\u003ealert(1)\\u003c/script\\u003e');
+        done();
+    });
+
+});