By daepark

2010-11-17 23:10:47 8 Comments

json2.js is strict requiring all object keys be double-quoted. However, in Javascript syntax {"foo":"bar"} is equivalent to {foo:"bar"}.

I have a textarea that accepts JSON input from the user and would like to "ease" the restriction on double quoting the keys. I've looked at how json2.js validates a JSON string in four stages before it evals it. I was able to add a 5th stage to allow unquoted keys and would like to know if there are any security implications to this logic.

var data = '{name:"hello", age:"23"}';

// Make sure the incoming data is actual JSON
// Logic borrowed from
if ( /^[\],:{}\s]*$/.test(data.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")
     .replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")
     .replace(/(?:^|:|,)(?:\s*\[)+/g, ":") // EDITED: allow key:[array] by replacing with safe char ":"
     /** everything up to this point is json2.js **/

     /** this is the 5th stage where it accepts unquoted keys **/         
     .replace(/\w+\s*\:/g, ":")) ) { // EDITED: allow any alphanumeric key

  console.log( (new Function("return " + data))() );
else {
  throw( "Invalid JSON: " + data );


@daepark 2010-11-18 22:18:29

I thought it would be helpful to have actual test cases to flush out any issues with this implementation. I've added a github project called JSOL with some tests. Please fill free to add to it and find issues. Thanks.

@Anthony Corbelli 2010-11-18 00:32:00

data.replace(/(['"])?([a-zA-Z0-9]+)(['"])?:/g, '"$2":');

That will replace any single quotes on the parameter name, and add any that are missing.

@Martin Drapeau 2011-03-14 18:57:04

This seems to work. Except you failed to handle the underscore. Here's an updated regex: hash.replace(/(['"])?([a-zA-Z0-9_]+)(['"])?:/g, '"$2":');

@Anthony Corbelli 2011-03-16 19:22:02

touche, thank you that was an oversight

@powerboy 2012-08-25 22:25:06

This answer is far from perfect. Try {a: ['b', 'c']} or {a: "Note: something happened."}

@Marcos Dimitrio 2015-06-30 01:13:22

Beware that while this regex might work on some very specific scenarios, it will not work more complex stuff like: { location: '' }, you'll end up with invalid JSON: {"location": "http"://'}

@Steven Spungin 2017-01-02 17:49:26

Don't forget about the dollar sign either, and spaces between the name and colon. replace(/(['"])?([a-zA-Z0-9_\$]+)(['"])?\s*:/g, '"$2":')

@mattbasta 2010-11-18 00:21:20

JSON does not allow unquoted keys. JSON is a subset of JavaScript notation, and that does not include unquoted keys. Passing unquoted keys to just about any JSON parser will likely throw an error or return "unexpected" results.

Hope this helps

@JAL 2010-11-18 00:27:45

True about JSON of course, but JavaScript does allow unquoted keys in object literals. It's just a bit problematic as you can't use dashes or reserved words without quotes. I think the asker knows this already, however.

Related Questions

Sponsored Content

48 Answered Questions

[SOLVED] Can comments be used in JSON?

  • 2008-10-28 20:39:03
  • Michael Gundlach
  • 1804387 View
  • 6651 Score
  • 48 Answer
  • Tags:   json comments

3 Answered Questions

55 Answered Questions

[SOLVED] How to replace all occurrences of a string in JavaScript

34 Answered Questions

[SOLVED] What is the correct JSON content type?

54 Answered Questions

[SOLVED] How can I pretty-print JSON in a shell script?

6 Answered Questions

[SOLVED] Why does Google prepend while(1); to their JSON responses?

25 Answered Questions

[SOLVED] Safely turning a JSON string into an object

  • 2008-09-05 00:12:01
  • Matt Sheppard
  • 1194702 View
  • 1261 Score
  • 25 Answer
  • Tags:   javascript json

23 Answered Questions

[SOLVED] How can I pretty-print JSON using JavaScript?

23 Answered Questions

[SOLVED] How can I add a key/value pair to a JavaScript object?

16 Answered Questions

[SOLVED] Parse JSON in JavaScript?

Sponsored Content