You talk about the risk of code injection but it seems you don't care at all. This test for detecting serialized functions is ridiculously weak, making a XSS with this example as easy as:
let person ={
name: 'function f(){},alert("XSS")'
};
Of course you can try to sanitize any user-inserted data, but unless you like playing russian roulette, I strongly discourage you to go that way.
You are right, that is an experiment, as I have clarified in many of the comments/discussion threads I've had on Linkedin, the blog comments section etc. But, I would never use something like that for user inserted data. If I were to ever use something like that in production, it would be for data structures that I created myself. The "person" example was the easiest to use. In the meantime, you have to sanitize everything, and you have a bigger problem if you allow your users to set names like that and you don't encode them.
As a closing thought, nothing comes out of JSON.parse when the object looks like this, besides an error that is easy to fix:
let person = {
name: 'function f(){},alert("XSS")'
};
Cheers.
You talk about the risk of code injection but it seems you don't care at all. This test for detecting serialized functions is ridiculously weak, making a XSS with this example as easy as: let person ={ name: 'function f(){},alert("XSS")' }; Of course you can try to sanitize any user-inserted data, but unless you like playing russian roulette, I strongly discourage you to go that way.You are right, that is an experiment, as I have clarified in many of the comments/discussion threads I've had on Linkedin, the blog comments section etc. But, I would never use something like that for user inserted data. If I were to ever use something like that in production, it would be for data structures that I created myself. The "person" example was the easiest to use. In the meantime, you have to sanitize everything, and you have a bigger problem if you allow your users to set names like that and you don't encode them. As a closing thought, nothing comes out of JSON.parse when the object looks like this, besides an error that is easy to fix: let person = { name: 'function f(){},alert("XSS")' }; Cheers.