Published 14 years 9 months ago • Last updated March 22, 2025 • ⏱️ < 1 min read
ES5 has decided for whatever reason to treat \u2028 and \u2029 (line/paragraph separators) as a new line in JavaScript this makes it in-line with regex "\s" character class. The JSON specification (to my knowledge) wasn't changed. So although it mentions escaping characters within strings it isn't a requirement. This means we're left with \u2028 and \u2029 characters that can break entire JSON feeds since the string will contain a new line and the JavaScript parser will bail out.
Another interesting fact is that Crockford's regex in the JSON specification is also wrong, correct at the time but now wrong =)
text='{"abc":"abc\u2029aa"}';
var my_JSON_object = !(/[^,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/.test(
text.replace(/"(\\.|[^"\\])*"/g, ''))) &&
eval('(' + text + ')');
This will eval since the test doesn't account for line/paragraph separators and will raise a syntax error since a new line is encountered.
This is also true of most native JSON parsers in various browsers, for example the following:
eval("("+JSON.stringify({a:'a\u2029a'})+")")
Will bail out because the paragraph separator isn't escaped.