ref: added functionality to escapeJSONstrings (ref: #5251) #5508
Conversation
🦋 Changeset detectedLatest commit: d18d78d The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Is my approach correct , am i working right on this pr @Amxx ? |
contracts/utils/Strings.sol
Outdated
|
|
||
| function _escapeJsonString(string memory input) private pure returns (string memory) { | ||
| bytes memory buffer = bytes(input); | ||
| bytes memory output = new bytes(buffer.length * 2); // Allocate max possible space |
There was a problem hiding this comment.
I'm worried this allocated a lot of memory that is not freed. This is quite expensive. Alternatives are:
- count number of "extra chars" in a loop, and allocate the right size directly
- resize the output buffer without a copy, and move the free memory ptr, using assembly
Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com>
I tried implementing both changes, but the one I pushed used 207 less gas when tested with 'Test "Hello , World!"'. I've uploaded a screenshot of the other implementation. Which one do you think
I should go with?
|
|
U can review it now @Amxx |
|
You are doing quite a lot of read/write to the My version is just function escapeJson(string memory input) internal pure returns (string memory) {
bytes memory buffer = bytes(input);
bytes memory output = new bytes(2 * buffer.length); // worst case scenario
uint256 outputLength = 0;
for (uint256 i; i < buffer.length; ++i) {
bytes1 char = buffer[i];
if (((SPECIAL_CHARS_LOOKUP & (1 << uint8(char))) != 0)) {
output[outputLength++] = '\\';
if (char == 0x08) output[outputLength++] = 'b';
else if (char == 0x09) output[outputLength++] = 't';
else if (char == 0x0A) output[outputLength++] = 'n';
else if (char == 0x0C) output[outputLength++] = 'f';
else if (char == 0x0D) output[outputLength++] = 'r';
else if (char == 0x22) output[outputLength++] = '"';
else if (char == 0x2F) output[outputLength++] = '/';
else if (char == 0x5C) output[outputLength++] = '\\';
} else {
output[outputLength++] = char;
}
}
assembly ("memory-safe") {
// write the actual length
mstore(output, outputLength)
// deallocate unused memory
mstore(0x40, add(output, shl(5, shr(5, add(outputLength, 63)))))
}
return string(output);
}Note that we need testing ! For that the function has to be internal. |
|
(closed by missclick) |
|
TODO:
|
|
okay will do
|
|
No dependency changes detected. Learn more about Socket for GitHub ↗︎ 👍 No dependency changes detected in pull request |
DarkLord017
force-pushed
the
escape_functionality
branch
from
20e5acc to
5bfb4cf
Compare
|
U can review it now @Amxx |
|
Is it correct to drop the forward slash escaping? |
I read this then removed that |
|
We should have a comment that this can only be used inside double quote strings. Single quotes are not escaped. |
| // write the actual length and deallocate unused memory | ||
| assembly ("memory-safe") { | ||
| mstore(output, outputLength) | ||
| mstore(0x40, add(output, shl(5, shr(5, add(outputLength, 63))))) |
There was a problem hiding this comment.
Same here (audit will report consistency)
| mstore(0x40, add(output, shl(5, shr(5, add(outputLength, 63))))) | |
| mstore(64, add(output, shl(5, shr(5, add(outputLength, 63))))) |
| */ | ||
| function escapeJSON(string memory input) internal pure returns (string memory) { | ||
| bytes memory buffer = bytes(input); | ||
| bytes memory output = new bytes(2 * buffer.length); // worst case scenario |
There was a problem hiding this comment.
I don't like that this is allocating worst-case scenario memory. Ideally, it should be just buffer.length, iterate and count the characters to escape, then indeed escape them. The tradeoff here is perhaps a bit more computation (i.e. more checks over) so I'm not convinced it's an actual saving.
There was a problem hiding this comment.
We tested to have two loops:
- one loop that counts the times escaping is needed
- then we allocate exactly the right size
- then we loop a second time.
It ends up being more expensive.
An alternative is to do all the allocation manually (basically we move the fmp ourselves)
Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com> Co-authored-by: Arr00 <13561405+arr00@users.noreply.github.com> Signed-off-by: Hadrien Croubois <hadrien.croubois@gmail.com>
Fixes #5251
A function to escape special characters in JSON strings
Handles key characters like quotes ("), backslashes (), forward slashes (/), and control characters (\n, \t, \r, etc.)
Prevents JSON injection attacks in NFT metadata and other use cases
PR Checklist
npx changeset add)