Skip to content

refactor: explicit charset validation functions for JSON and URL-encoded payloads#678

Open
Phillip9587 wants to merge 1 commit intoexpressjs:masterfrom
Phillip9587:charset-validation
Open

refactor: explicit charset validation functions for JSON and URL-encoded payloads#678
Phillip9587 wants to merge 1 commit intoexpressjs:masterfrom
Phillip9587:charset-validation

Conversation

@Phillip9587
Copy link
Member

@Phillip9587 Phillip9587 commented Dec 15, 2025
edited
Loading

This PR improves the handling and validation of character encodings for the JSON and URL-encoded parsers, ensuring compliance with relevant standards and providing more robust, maintainable code.

The main change is extracting the previously inlined charset validation functions into utility functions. I also included tests for these functions.

isValidJsonCharset

  • Previously only checked if the charset starts with utf-
  • Now checks if the charset is utf-8 , utf-16 or utf-32 case-insensitive according to RFC 7159 Section 8.1 (Stricter, Maybe semver major)
  • RFC 7159 was superseded by RFC 8259 which is even stricter and defines:

JSON text exchanged between systems that are not part of a closed
ecosystem MUST be encoded using UTF-8 [RFC3629].
Previous specifications of JSON have not required the use of UTF-8
when transmitting JSON text. However, the vast majority of JSON-
based software implementations have chosen to use the UTF-8 encoding,
to the extent that it is the only encoding that achieves
interoperability.

isValidUrlencodedCharset

  • Previously checked case-senstive for utf-8 and iso-8859-1
  • Now checks case-insensitive the charset is already lower-cased in the getCharset() helper function

Edit 21.01.2025: I changed the PR so that the JSON Parser now is RFC 8259 compatible and ONLY allows utf-8.

This comment was marked as outdated.

Sign in to view

@Phillip9587 Phillip9587 requested a review from Copilot December 15, 2025 22:15

This comment was marked as outdated.

Sign in to view

bjohansebas
bjohansebas reviewed Dec 16, 2025
View reviewed changes
Copy link
Member

@bjohansebas bjohansebas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is definitely a breaking change. For example, if I currently provide charset=utf-16be for JSONs, it would be decoded correctly and no error would be thrown, with your current PR this would be considered invalid, which makes me wonder whether the specification takes UTF-16BE or UTF-16LE encoding into account.

Additionally, how does this behave with iconv-lite? Given that iconv-lite correctly supports UTF-16BE and UTF-16LE, it should be able to decode the JSONs correctly.

My initial comments, i’ll continue reviewing these changes.

@ctcpip
Copy link
Member

ctcpip commented Jan 20, 2026

why wouldn't we just limit to UTF-8 at this point?

@Phillip9587
Copy link
Member Author

Phillip9587 commented Jan 20, 2026

@ctcpip I orgininally intented to keep this backward compatible but if we target a new major we should definitly limit it to utf-8.

@ctcpip
Copy link
Member

ctcpip commented Jan 20, 2026

it's already not backward-compatible, so my suggestion is to just adhere to the latest JSON RFC and only allow utf-8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@UlisesGascon UlisesGascon Awaiting requested review from UlisesGascon

@jonchurch jonchurch Awaiting requested review from jonchurch

+1 more reviewer

@bjohansebas bjohansebas bjohansebas left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

semver-major

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Phillip9587 @ctcpip @bjohansebas @UlisesGascon