My immediate reaction to this was not positive, for a few reasons.
- Trying to use regex to parse complex language constructs is a bad idea. Regular expressions just aren't suitable for such constructs.
- Security through blacklisting is a bad idea because you will always be, by definition, one step behind the attackers. You should use a positive security model.
- There are a huge number of XSS filter evasion techniques that can be used on top of standard vectors. You cannot possibly detect and block them all.
- Javascript parsing of JSON via
eval()is considered a security vulnerability. - Modern browsers have support for proper native JSON parsing, via
JSON.parse()andJSON.stringify(). - If you have to support old browsers, there is a safe JSON library you can use that does not use
eval()for decoding.
All in all, your regex approach is over-engineered, insecure, misguided, and redundant. You're attempting to solve a problem that has already been solved. Don't be a Dave. Use the proper JSON parsing functions and libraries available to you.
