By daepark

2010-11-17 23:10:47 8 Comments

json2.js is strict requiring all object keys be double-quoted. However, in Javascript syntax {"foo":"bar"} is equivalent to {foo:"bar"}.

I have a textarea that accepts JSON input from the user and would like to "ease" the restriction on double quoting the keys. I've looked at how json2.js validates a JSON string in four stages before it evals it. I was able to add a 5th stage to allow unquoted keys and would like to know if there are any security implications to this logic.

var data = '{name:"hello", age:"23"}';

// Make sure the incoming data is actual JSON
// Logic borrowed from
if ( /^[\],:{}\s]*$/.test(data.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")
     .replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")
     .replace(/(?:^|:|,)(?:\s*\[)+/g, ":") // EDITED: allow key:[array] by replacing with safe char ":"
     /** everything up to this point is json2.js **/

     /** this is the 5th stage where it accepts unquoted keys **/         
     .replace(/\w+\s*\:/g, ":")) ) { // EDITED: allow any alphanumeric key

  console.log( (new Function("return " + data))() );
else {
  throw( "Invalid JSON: " + data );


@daepark 2010-11-18 22:18:29

I thought it would be helpful to have actual test cases to flush out any issues with this implementation. I've added a github project called JSOL with some tests. Please fill free to add to it and find issues. Thanks.

@Anthony Corbelli 2010-11-18 00:32:00

data.replace(/(['"])?([a-zA-Z0-9]+)(['"])?:/g, '"$2":');

That will replace any single quotes on the parameter name, and add any that are missing.

@Martin Drapeau 2011-03-14 18:57:04

This seems to work. Except you failed to handle the underscore. Here's an updated regex: hash.replace(/(['"])?([a-zA-Z0-9_]+)(['"])?:/g, '"$2":');

@Anthony Corbelli 2011-03-16 19:22:02

touche, thank you that was an oversight

@powerboy 2012-08-25 22:25:06

This answer is far from perfect. Try {a: ['b', 'c']} or {a: "Note: something happened."}

@Marcos Dimitrio 2015-06-30 01:13:22

Beware that while this regex might work on some very specific scenarios, it will not work more complex stuff like: { location: '' }, you'll end up with invalid JSON: {"location": "http"://'}

@Steven Spungin 2017-01-02 17:49:26

Don't forget about the dollar sign either, and spaces between the name and colon. replace(/(['"])?([a-zA-Z0-9_\$]+)(['"])?\s*:/g, '"$2":')

@mattbasta 2010-11-18 00:21:20

JSON does not allow unquoted keys. JSON is a subset of JavaScript notation, and that does not include unquoted keys. Passing unquoted keys to just about any JSON parser will likely throw an error or return "unexpected" results.

Hope this helps

@JAL 2010-11-18 00:27:45

True about JSON of course, but JavaScript does allow unquoted keys in object literals. It's just a bit problematic as you can't use dashes or reserved words without quotes. I think the asker knows this already, however.

Related Questions

Sponsored Content

52 Answered Questions

[SOLVED] How can I pretty-print JSON in a shell script?

6 Answered Questions

[SOLVED] Why does Google prepend while(1); to their JSON responses?

23 Answered Questions

[SOLVED] How can I add a key/value pair to a JavaScript object?

44 Answered Questions

[SOLVED] How to replace all occurrences of a string in JavaScript

44 Answered Questions

[SOLVED] Can comments be used in JSON?

  • 2008-10-28 20:39:03
  • Michael Gundlach
  • 1574145 View
  • 6109 Score
  • 44 Answer
  • Tags:   json comments

26 Answered Questions

[SOLVED] Convert JS object to JSON string

25 Answered Questions

[SOLVED] Safely turning a JSON string into an object

  • 2008-09-05 00:12:01
  • Matt Sheppard
  • 1142156 View
  • 1179 Score
  • 25 Answer
  • Tags:   javascript json

16 Answered Questions

[SOLVED] Parse JSON in JavaScript?

33 Answered Questions

[SOLVED] What is the correct JSON content type?

  • 2009-01-25 15:25:19
  • Oli
  • 2318341 View
  • 9410 Score
  • 33 Answer
  • Tags:   json content-type

48 Answered Questions

Sponsored Content