Why use JSON.parse(decodeURIComponent(staticString))?

Question

Certain dynamic web frameworks use this code fragment

<script>
appSettings = JSON.parse(
   decodeURIComponent(
     "%7B%22setting1%22%3A%22foo%22%2C%22setting2%22%3A123%7D"));
</script>

Is there a standard HTML5/JavaScript problem are they trying to solve with this code. Why not just

<script>
appSettings = {"setting1":"foo","setting2":123};
</script>

Note: this is dynamically generated code. I'm assuming on the server they are doing something like

var settingsString = encodeURIComponent(JSON.stringify(settings));
var output = '<script>appSettings=JSON.parse(decodeURIComponent("' + 
             settingsString + 
             '"));</script>';

But it seems like it would work just as well like this

var settingsString = JSON.stringify(settings);
var output = '<script>appSettings=' + 
             settingsString + 
             ';</script>';

One idea is the latter could contain code but they are the ones providing the string, it's not user data so they're no chance it could be code. Plus using JSON.stringify on the server would remove all code. On the client even then a simple JSON.parse of a JSON.stringifyied object would prevent code.

Is there a concrete problem being solved by the triple parsing? Once by JavaScript, once by decodeURIComponent, once by JSON.parse?

THIS IS NOT AN OPINION BASED QUESTION

The question is what problem is being solved. Either there is a problem being solved or there is not. No opinions required to answer that question. For example if JSON.stringify happens to emit unparseable code sometimes (which as far I know it doesn't but if someone knows better then that would be a good answer as to why).

Also note: I'm not asking why their framework does this. I'm asking if there is real problem being solved in standard HTML5/JavaScript. In other words, should I adopt this pattern because I'm going to run into an issue someday if I don't.

I can think of various reasons why somebody might do it that way (although I can think of (FSVO) better ways to solve the same problems), but you're asking us to speculate on an unknown persons thought processes, which isn't really answerable. — Quentin
– Quentin, Commented Dec 15, 2015 at 10:01
@Quentin, No I'm not asking you to speculate. Either there is an concrete objective reason OR there isn't. That's the question. What's the concrete objective reason for it. What problem is being solved. AFAIK there's no escape issues with JSON so the triple parsing is superfluous. But I could be wrong hence the question. — user128511
– user128511, Commented Dec 15, 2015 at 10:05
Is there a reason why you refuse to mention which framework it is that does this? It would help a lot in finding out the cause. — JJJ
– JJJ, Commented Dec 15, 2015 at 10:07
One benefit of this encoding is if your JSON contains HTML (e.g. closing </script> tag) inside, the browser will interpret that as HTML. — katspaugh
– katspaugh, Commented Dec 15, 2015 at 10:16
@gman: Telling us the name of the framwork would allow us to inspect its source and hunt for definitive comments. — Bergi
– Bergi, Commented Dec 15, 2015 at 10:30

Community · Accepted Answer · 2017-05-23 12:23:13Z

1

Is there a concrete problem being solved by the triple parsing?

Yes. Your suggested solution has two problems:

It's parsed as HTML. Things like </script> can cause havoc in an inline script.
It's parsed as JS. Not all JSON strings are valid JS literals.

The decodeURIComponent + JSON.parse approach is a crude workaround however and looks more like a quick fix than a proper solution.

edited May 23, 2017 at 12:23

CommunityBot

11 silver badge

answered Dec 15, 2015 at 10:28

Bergi

670k162 gold badges1k silver badges1.5k bronze badges

Sign up to request clarification or add additional context in comments.

2 Comments

user128511 Over a year ago

Can you elaborate on why it's a quick fix vs a proper solution?

Bergi Over a year ago

It blows up the size unnecessarily, once for embedding JSON in JS strings and once for url-encoding everything. Just escaping the problematic character (sequence)s should have been enough.

user128511 · Accepted Answer · 2015-12-15 10:24:03Z

1

@katspaugh is correct

Testing

var settingString = JSON.stringify({
  "</script>":  "<script>bar=123</script>",
});

Generates the code for the above example as

<script>
appSettings = {"</script>":"<script>window.bar=123</script>"}
</script>

Which fails to parse as HTML. Adding the encodeURIComponent on the server JSON.parse(decodeURIComponent(...)) on the client fixes that issue

answered Dec 15, 2015 at 10:24

user128511

Comments

Cao Shouguang · Accepted Answer · 2022-08-02 10:16:17Z

0

DO NOT USE IT.

let str = `C:\\Users\\Administrator\\Desktop\\小灶\\GT4T_translated_Chinese Simplified (简体中文)\\2013\%2F193461.pdf`

let newStr = decodeURIComponent(JSON.parse(`"${str}"`))

Depending on the str content, you may get unexpected errors. The code above will cause this error:

SyntaxError: Unexpected token U in JSON at position 4

answered Aug 2, 2022 at 10:16

Cao Shouguang

1464 bronze badges

Collectives™ on Stack Overflow

Why use JSON.parse(decodeURIComponent(staticString))?

3 Answers 3

2 Comments

Comments

Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

2 Comments

Comments

Comments

Linked

Related