@dconnolly replaced JSON.parse with a safe non-eval JSON parse. closes #2077

CHANGELOG.md

@@ -11,6 +11,7 @@ CHANGELOG
 * @mmcc (and others) converted the whole project to use ES6, Babel and Browserify ([view](https://github.com/videojs/video.js/pull/1976))
 * @heff converted all classes to use ES6 classes ([view](https://github.com/videojs/video.js/pull/1993))
 * @mmcc added ES6 default args and template strings ([view](https://github.com/videojs/video.js/pull/2015))
+* @dconnolly replaced JSON.parse with a safe non-eval JSON parse ([view](https://github.com/videojs/video.js/pull/2077))
 
 --------------------
 

package.json

@@ -22,9 +22,10 @@
   },
   "main": "src/js/video.js",
   "dependencies": {
+    "global": "^4.3.0",
+    "safe-json-parse": "^4.0.0",
     "videojs-swf": "4.5.4",
-    "vtt.js": "git+https://github.com/gkatsev/vtt.js.git#shim-build",
-    "global": "^4.3.0"
+    "vtt.js": "git+https://github.com/gkatsev/vtt.js.git#shim-build"
   },
   "devDependencies": {
     "babelify": "^6.0.1",
@@ -34,6 +35,7 @@
     "chg": "~0.2.0",
     "grunt": "^0.4.4",
     "grunt-aws-s3": "^0.12.1",
+    "grunt-banner": "^0.3.1",
     "grunt-browserify": "^3.5.0",
     "grunt-cli": "~0.1.0",
     "grunt-contrib-clean": "~0.4.0a",

src/js/json.js

@@ -1,75 +0,0 @@
-/**
- * @fileoverview Add JSON support
- * @suppress {undefinedVars}
- * (Compiler doesn't like JSON not being declared)
- */
-
-import window from 'global/window';
-// Changing 'JSON' throws jshint errors
-var json = window.JSON;
-
-/**
- * Javascript JSON implementation
- * (Parse Method Only)
- * https://github.com/douglascrockford/JSON-js/blob/master/json2.js
- * Only using for parse method when parsing data-setup attribute JSON.
- * @suppress {undefinedVars}
- * @namespace
- * @private
- */
-if (!(typeof json !== 'undefined' && typeof json.parse === 'function')) {
-  json = {};
-
-  var cx = /[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g;
-
-  /**
-   * parse the json
-   *
-   * @memberof JSON
-   * @param {String} text The JSON string to parse
-   * @param {Function=} [reviver] Optional function that can transform the results
-   * @return {Object|Array} The parsed JSON
-   */
-   json.parse = function (text, reviver) {
-    var j;
-
-    function walk(holder, key) {
-      var k, v, value = holder[key];
-      if (value && typeof value === 'object') {
-        for (k in value) {
-          if (Object.prototype.hasOwnProperty.call(value, k)) {
-            v = walk(value, k);
-            if (v !== undefined) {
-              value[k] = v;
-            } else {
-              delete value[k];
-            }
-          }
-        }
-      }
-      return reviver.call(holder, key, value);
-    }
-
-    text = String(text);
-    cx.lastIndex = 0;
-    if (cx.test(text)) {
-      text = text.replace(cx, function (a) {
-        return '\\u'+ ('0000' + a.charCodeAt(0).toString(16)).slice(-4);
-      });
-    }
-
-    if (/^[\],:{}\s]*$/
-      .test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
-      .replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']')
-      .replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) {
-
-      j = eval('(' + text + ')');
-
-      return typeof reviver === 'function' ? walk({'': j}, '') : j;
-    }
-
-    throw new SyntaxError('JSON.parse(): invalid or malformed JSON data');
-  };
-}
-
-export default json;

src/js/player.js

@@ -4,7 +4,7 @@ import * as Events from './events.js';
 import FullscreenApi from './fullscreen-api.js';
 import MediaError from './media-error.js';
 import Options from './options.js';
-import JSON from './json.js';
+import safeParseTuple from 'safe-json-parse/tuple';
 import window from 'global/window';
 import document from 'global/document';
 
@@ -1624,7 +1624,7 @@ class Player extends Component {
     if (dataSetup !== null){
       // Parse options JSON
       // If empty string, make it a parsable json object.
-      Lib.obj.merge(tagOptions, JSON.parse(dataSetup || '{}'));
+      Lib.obj.merge(tagOptions, safeParseTuple(dataSetup || '{}')[1]);
     }
 
     Lib.obj.merge(baseOptions, tagOptions);

src/js/setup.js

@@ -1,4 +1,3 @@
-import JSON from './json';
 import * as Events from './events';
 import document from 'global/document';
 import window from 'global/window';

src/js/tracks/text-track-settings.js

@@ -1,6 +1,7 @@
 import Component from '../component';
 import * as Lib from '../lib';
 import * as Events from '../events';
+import safeParseTuple from 'safe-json-parse/tuple';
 import window from 'global/window';
 
 class TextTrackSettings extends Component {
@@ -105,7 +106,7 @@ class TextTrackSettings extends Component {
   restoreSettings() {
     let values;
     try {
-      values = JSON.parse(window.localStorage.getItem('vjs-text-track-settings'));
+      values = safeParseTuple(window.localStorage.getItem('vjs-text-track-settings'))[1];
     } catch (e) {}
 
     if (values) {

test/unit/tracks/text-track-settings.js

@@ -1,6 +1,7 @@
 import TextTrackSettings from '../../../src/js/tracks/text-track-settings.js';
 import TestHelpers from '../test-helpers.js';
 import * as Events from '../../../src/js/events.js';
+import safeParseTuple from 'safe-json-parse/tuple';
 import window from 'global/window';
 
 var tracks = [{
@@ -45,7 +46,7 @@ test('should update settings', function() {
   equal(player.el().querySelector('.vjs-font-percent select').selectedIndex, 3, 'font-percent is set to new value');
 
   Events.trigger(player.el().querySelector('.vjs-done-button'), 'click');
-  deepEqual(JSON.parse(window.localStorage.getItem('vjs-text-track-settings')), newSettings, 'values are saved');
+  deepEqual(safeParseTuple(window.localStorage.getItem('vjs-text-track-settings'))[1], newSettings, 'values are saved');
 });
 
 test('should restore default settings', function() {