
Ask HN: Tips for safely parsing user provided JSON in browser? - sbr464
This is a sanity check, I&#x27;m looking for any recent best practices or tips for this use case:<p>Client-side, browser, react app. A small form that accepts user provided JSON. Would like to make this a safe as possible to parse that JSON. User will most like upload a file, or paste the JSON directly in an input.<p>A user accessing the form would most likely be logged in to the app, so there might be cookies and&#x2F;or keys in localStorage etc. Want to protect things like this when possible.<p>Was thinking of several defenses, including.<p>1. Hosting the form within an iframe in a different context&#x2F;domain.<p>2. Not parsing the JSON in the browser, but sending off to a serverless&#x2F;cloud function api that has no env&#x2F;secrets&#x2F;db connections etc to potentially access.<p>3. Checking string input with regex and other typical tools before parsing&#x2F;using.<p>The JSON, once parsed and passes validation would be used to generate some other objects&#x2F;data that would be later stored in a database.<p>Thanks in advance.
======
dozzie
> This is a sanity check, [...]

> 2\. Not parsing the JSON in the browser, but sending off to a
> serverless/cloud function api

There's your check: this part is insane.

Also, this is a common problem with programmers who haven't received formal
training:

> 3\. Checking string input with regex and other typical tools before
> parsing/using.

Do not rely with your security on regular expressions. They are a very
unwieldy tool for this purpose. Use a proper parser and don't even bother with
regexps (maybe barring the regexps in the tokenizer).

~~~
sbr464
Also for the regex mention, it was mostly for ideas in addition to using a
normal/solid parser, not to replace. Thanks for the feedback.

------
cimmanom
Browser parsers (NOT eval()) should be safe to parse with as long as you treat
the data as JSON rather than JSONP. What will you be doing with the data once
parsed?

~~~
sbr464
It's mainly to take any type of data and analyze the types/context to generate
other schema information based on that data. For example a JSON object of a
sale/receipt. Analyzing the values/properties to figure out what's what. Since
anyone could paste anything though, I wanted to make it as safe to process as
possible.

