fix($http): only parse as JSON when opening/closing brackets match #10357
Conversation
|
CLAs look good, thanks! |
gkalpak
force-pushed
the
http-improved-json-detection
branch
2 times, most recently
from
5e4c081 to
18ba101
Compare
|
Just another small remark regarding the commit message: if we want to close #10349 with this commit (we could because it is technically fixing the reported issue) we should open a separate one to fix this once and fall all properly in 1.4 |
gkalpak
force-pushed
the
http-improved-json-detection
branch
from
18ba101 to
49e809c
Compare
|
@gkalpak cool, thnx for updating the function name. Regarding the issue - let's leave the commit message as-is and let's add a note to the 1.4 planning doc. Could you do it? |
|
I added it to the doc. |
|
Is there a reason for not using a single regex? Something such as The two regex thing appears to have been added a long long time ago in c7913a4. |
|
Even when I am ok with the check itself, we should do better here, as we are first removing the security prefix (and not keeping the original) and then checking if the |
|
@jbedard: You probably have to ask the one who introduced it. I just tried to stick as much as possible to the current approach. @lgalfaso: Not removing the prefix, when no deserialization takes place, sounds reasonable. I will update the PR shortly. |
|
@gkalpak it's been that way since introduced. I assume because it read easier then combining them. But now that we have 4 REs and a map I'd say one RE is simpler... |
gkalpak
force-pushed
the
http-improved-json-detection
branch
2 times, most recently
from
406a4c9 to
0838969
Compare
|
@lgalfaso: Updated so that the original data is returned, when the response doesn't look like JSON. @jbedard: It's 3 RegExp (and 2 of them are tiny); so if you ask me, I find the current approach simpler to read/understand. But if people think it is preferable to have one larger RegExp, it's fine by me :) |
|
Right, 3 RE not 4. But its the extra json mapping logic that makes it more complicated and error prone imo. |
gkalpak
force-pushed
the
http-improved-json-detection
branch
from
0838969 to
f1f48f9
Compare
|
So, I think we should merge it even if it is not perfect in the current form (no of RegExps etc.). It looks like we are going to drop JSON auto-detection in 1.4 so this will be a temporary change that improves the existing situation. |
|
@pkozlowski-opensource: Like I said, I find the 3 small RegExps more readable than 1 bigger RegExp, but if you'd rather go with the 1 RegExp, let me know; it should be a quick change. |
|
Nah, it is fine - this code will go away in 1.4 anyway... |
|
@gkalpak one last thing - what do you think about adding a test showing that a JSON protection prefix is not removed when a response is not deserialized as JSON? This is one of the things that changes with the PR, right? Maybe it would be good to be explicit about it? |
gkalpak
force-pushed
the
http-improved-json-detection
branch
from
f1f48f9 to
a99e97e
Compare
Previously, due to weak JSON-detecting RegExp, string like `[...}` and
`{...]` would be considered JSON (even if they obviously aren't) and an
expection would be thrown while trying to parse them.
This commit makes sure the opening and closing brackets match. This
doesn't completely eliminate false positives (e.g. `[]{}[]`), but does
help reduce them.
Closes angular#10349
gkalpak
force-pushed
the
http-improved-json-detection
branch
from
a99e97e to
3b6f364
Compare
|
@pkozlowski-opensource: Good idea :) UPDATED |
Previously, due to weak JSON-detecting RegExp, string like
[...}and{...]would be considered JSON (even if they obviously aren't) and anexpection would be thrown while trying to parse them.
This commit makes sure the opening and closing brackets match. This
doesn't completely eliminate false positives (e.g.
[]{}[]), but doeshelp reduce them.
Closes #10349
Note:
I don't consider this to be a breaking change, but if someone expects their app to throw when receiving a response like
'[...}'or'{...]', then this PR will break their app.