Add a JSON sanitizer.

components/safe_json/json_sanitizer.h

+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_SAFE_JSON_JSON_SANITIZER_H_
+#define COMPONENTS_SAFE_JSON_JSON_SANITIZER_H_
+
+#include <string>
+
+#include "base/callback_forward.h"
+#include "base/compiler_specific.h"
+#include "base/memory/scoped_ptr.h"
+
+#if defined(OS_ANDROID)
+#include <jni.h>
+#endif
+
+namespace safe_json {
+
+// Sanitizes and normalizes JSON by parsing it in a safe environment and
+// re-serializing it. Parsing the sanitized JSON should result in a value
+// identical to parsing the original JSON.
+// This allows parsing the sanitized JSON with the regular JSONParser while
+// reducing the risk versus parsing completely untrusted JSON. It also minifies
+// the resulting JSON, which might save some space.
+class JsonSanitizer {

[Robert Sesek, 2015/07/07 21:54:16]

Does this class need a Create/Start split, or can it have the same interface as
SafeJsonParser, with just one static Sanitize method?

[Bernhard Bauer, 2015/07/08 11:54:29]

As it is right now, Create() returns a scoped_ptr which allows the caller to
destroy the object. I could change the whole interface to be fire-and-forget
like SafeJsonParser, but I like having control over the lifetime of the involved
objects. (I would have changed the interface for SafeJsonParser to allow clients
to own it, but that would have been more complicated because of the existing
clients.) But if you feel strongly, I can change it.

[Robert Sesek, 2015/07/08 19:24:07]

What is the use for controlling this pointer lifetime? Would clients call
Start() multiple times on the same object with different data? If so, then maybe
Start() isn't the best name since it sounds one-off. If not, then I think
mirroring the interface of SafeJsonParser is best.

[Bernhard Bauer, 2015/07/08 21:56:47]

The use is... it's easier to reason about the lifetimes of objects if they don't
self-destruct. It is in fact possible to call Start() multiple times with
different data, but I don't have any plans right now to actually do that. I
renamed the method to Sanitize() for now; let me know if I should make it
fire-and-forget.

[Robert Sesek, 2015/07/08 22:00:43]

Unless there were a reason for multiple Sanitize() calls, I think it should just
be a static. That matches the SafeJsonParser, and then there's no object (for
the caller) to even reason about.

[Bernhard Bauer, 2015/07/09 12:34:49]

OK, done.

+ public:
+  using StringCallback = base::Callback<void(const std::string&)>;
+
+  // Creates a new instance of this class that will call back either the passed
+  // |success_callback| or the |error_callback| with the result of the
+  // sanitization or an error message, respectively. If this object is destroyed
+  // before that, no callback will be called.
+  static scoped_ptr<JsonSanitizer> Create(
+      const StringCallback& success_callback,
+      const StringCallback& error_callback);
+  virtual ~JsonSanitizer() {}
+
+  // Starts sanitizing the passed in unsafe JSON string. The error or success
+  // callback is guaranteed not to be called before the method returns. This
+  // method can be called arbitrarily often (even before a callback for an
+  // earlier call has been run, but there is no guarantee about the order in
+  // which the callbacks are run, and the result or error passed into the
+  // callback does not indicate what the input was).
+  virtual void Start(const std::string& unsafe_json) = 0;
+
+#if defined(OS_ANDROID)
+  static bool Register(JNIEnv* env);
+#endif
+
+ protected:
+  JsonSanitizer() {}
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(JsonSanitizer);
+};
+
+}  // namespace safe_json
+
+#endif  // COMPONENTS_SAFE_JSON_JSON_SANITIZER_H_