@mapbox/safer-stringify

A stringify template helper for outputting JSON with escaped forward slashes and line terminators

Downloads in past

Stats

StarsIssuesVersionUpdatedCreatedSize
@mapbox/safer-stringify
600.0.26 years ago6 years agoMinified + gzip package size for @mapbox/safer-stringify in KB

Readme

safer-stringify
Like JSON.stringify, but escapes forward slashes and line terminators.
Build Status
NPM

Usage

Same arguments as JSON.stringify:
saferstringify(obj, replacer, spaces)
var saferstringify = require('safer-stringify');

var obj = {};
obj.github = 'http://www.github.com/mapbox/saferstringify';
obj.escape = 'ro
cks'; // has hidden \u2028 literal between `ro` and `cks`
obj.script = '<script>wut("lol")</script>';

saferstringify(obj, null, 2);
Output:
{
  "github": "http:\/\/www.github.com\/mapbox\/saferstringify",
  "escape": "ro\u2028cks",
  "script": "<script>wut(\"lol\")<\/script>"
}

Why?

A unescaped </script> tag in JSON will be parsed in HTML as the closing script tag regardless of whether it was intended as that or not. See http://stackoverflow.com/questions/66837/when-is-a-cdata-section-necessary-within-a-script-tag/1450633#1450633
u2028 and u2029 must be escaped because no string in JavaScript can contain a literal U+2028 or a U+2029, as they are line terminators. See http://timelessrepo.com/json-isnt-a-javascript-subset

Tests

npm test