0

Starting off, I am aware of the security risks storing JavaScript functions in JSON strings, however that is not what is happening here.

Now I am working on a JS multi-threading model using web workers and blob strings. However as I'm sure you are aware you cannot use custom objects or prototypes from said custom objects in web workers so I developed a system for serializing a custom object with functions into an anonymous object that can be used in the web worker however I am getting a syntax error when calling JSON.parse over the serialized object.

Serialize function:

AjaxHandler.prototype.getEmbedded = function(stringify) {
    "use strict";

    let embMembers = this.metaData.embeddedMembers; // an array of function names to add
    let embeddedObj = {};
    let stringifyArray = stringify ? new Array(embMembers.length) : [];

    if (stringify) {
        for (let i = 0; i < embMembers.length; i++) {
            stringifyArray[i] = ('"' + embMembers[i] + '":"' + AjaxHandler.prototype[embMembers[i]].toString().replace(/[\n\r]+/gi, '').replace(/[\t]+/gi, '')).replace(/\/\*\*\/this.\/\*\*\//gi, '') + '"';
        }
    } else {
        for (let mem of embMembers) {
            embeddedObj[mem] = AjaxHandler.prototype[mem];
        }
    }

    if (stringify) {
        return ("{" + stringifyArray.join(",") + "}");
    } else {
        return embeddedObj;
    }
};

All functions being embedded are syntactically correct however when I try to parse it:

!function TestAction() {
    "use strict";
    let tHandler = new AjaxHandler();
    let eme = tHandler.getEmbedded();
    let stf = tHandler.getEmbedded(true);
    let ptf = JSON.parse(stf); // Throws syntax error
    debugger;
}();

It throws an error (Uncaught SyntaxError: Unexpected string) as noted in the code.

Is there a way to parse out the object containing functions?

Notes:

No JSON data is being sent to or from the client so I don't think it's a security risk to store and send a function in JSON.

I have researched previous questions on the matter and none of the leads I found produced any valid solution aside from "don't do it, it's a security risk".

halfer
  • 18,701
  • 13
  • 79
  • 158
CalebB
  • 597
  • 3
  • 16
  • Do you have an example of the string that fails to parse? – Thilo Dec 11 '15 at 06:17
  • Why do you build your own JSON string (as opposed to using Json.stringify) ? – Thilo Dec 11 '15 at 06:17
  • "All functions being embedded are syntactically correct" What does that mean? How do you embed them? You certainly cannot have functions directly inside of JSON. – Thilo Dec 11 '15 at 06:20
  • 1
    Okay, looking at your code, it seems you want to put the source code for the function into a String. That should work, but better use Json.stringify instead of your special character replace voodoo (which does not seem to handle quotes for example). – Thilo Dec 11 '15 at 06:22
  • See http://stackoverflow.com/questions/5408406/web-workers-without-a-separate-javascript-file – guest271314 Dec 11 '15 at 06:24
  • I think you will have to use eval. or new Function(str) or some other nearly eval thing. – Catalyst Dec 11 '15 at 06:26
  • @Thilo It does indeed handle quotation marks because I wrote all the functions specifically with single quote literals but nice thought. I don't use JSON.stringify because there are members of the prototype I want to leave out. Do you have a place you recommend using JSON.stringify? – CalebB Dec 11 '15 at 06:28
  • 2
    @guest271314 I don't see how that is relevant to this. I already have a system for using workers without another file, that's not what I'm asking about. I added information about where I am using these function purely for context. – CalebB Dec 11 '15 at 06:29
  • @CalebB http://stackoverflow.com/a/19201292/ provides possible solution on how to build , convert function, object as string . – guest271314 Dec 11 '15 at 06:30
  • Place to recommend JSON.stringify: Don't do all that string concatention. Build an object like `var x = {}; x[embMember] = theFunction.toString()`, and at the end `return JSON.serialize(theThingWeBuilt)` – Thilo Dec 11 '15 at 06:33
  • There is no risk as json doesn't support functions – Jaromanda X Dec 11 '15 at 06:34
  • @guest271314 I took another look at the question and answer and loading the function is not a problem, I am looking for a solution to parsing the stringified object with it's contained functions. – CalebB Dec 11 '15 at 06:36
  • Parsing within web worker ? – guest271314 Dec 11 '15 at 06:36
  • @guest271314 It is built into a blob which is loaded into the web worker. The object itself is parsed into a blob which is loaded. Does that make sense? – CalebB Dec 11 '15 at 06:38
  • Semantics. The function on json would be a string so there is no risk in storing function on json. Json doesn't even support date objects – Jaromanda X Dec 11 '15 at 06:39
  • No `Blob` `js` appear at Question ? Can include `js` at web worker ?, portions where `Blob` is created, parsed at Question ? – guest271314 Dec 11 '15 at 06:40
  • @guest271314 As I said, loading the javascript into the web worker is not the subject matter. I am purely looking for a solution to take a serialized object with stringified functions and return a object with function members. – CalebB Dec 11 '15 at 06:42

0 Answers0