JSONView has been removed/disabled from the Chrome Web Store

[sloanlance]

Security vulnerability issue copied from upstream repo is below.

The vulnerability is demonstrated by: https://rawgit.com/MattRyder/f356b402f696f147943907eb8a3859e5/raw/974c9151394b582d9ab7c58d0dc4d12f2fd5e35d/jsonViewVuln.json

Which contains:

{ "a": "http://\"><iframe/src='javascript:alert(document.domain)'></iframe>" }

Seems like this should be easy to fix.

From @-tordans on November 11, 2016 15:15

The extension is also automatically disabled with the notice that "this extension contains a serious security vulnerability."

Does anyone know more or how to fix it?

Further input

• https://github.com/bhollis/jsonview/issues number 135
• https://news.ycombinator.com/item?id=12925197#12925360

Update

I emailed @-gildas-lormeau but did not hear back from him.

I switched to "JSON Viewer" now like @-dan-blanchard suggested. JSON Viewer has a cleaner Issue and PR List than JSON-formatter, so I go with JSON Viewer and hope the maintainer will stay with us :).

Copied from original issue: gildas-lormeau/JSONView-for-Chrome number 75

[sloanlance]

From @-ScottGRoberts on November 11, 2016 20:39

Does this PR from 2 years ago address the issue? https://github.com/gildas-lormeau/JSONView-for-Chrome/pulls number 49

[sloanlance]

From @-MattRyder on November 14, 2016 11:8

Yep, can confirm it. Use the following page as a reproducible test case when JSONView is enabled.

The gist file being served can be found here (in safe form): https://gist.github.com/MattRyder/f356b402f696f147943907eb8a3859e5

[sloanlance]

From @-jamiew on November 16, 2016 14:31

I've been getting some questions on my (unrelated & unpublished) jsonview-chrome repository, https://github.com/jamiew/jsonview-chrome

Has anyone stepped up to fix things in this repo + republish yet?

[sloanlance]

From @-dan-blanchard on November 18, 2016 21:5

There are alternative extensions that seem to be just as nice (if not nicer):

• JSON Formatter
• JSON Viewer

[sloanlance]

From @-JordanMilne on November 19, 2016 3:7

Yep, there are actually several different UXSS issues in JSONView-for-Chrome's master.

• One @-joevennix reported in the autolinking code https://github.com/gildas-lormeau/JSONView-for-Chrome/pulls number 49
• One found by a Chinese security researcher in the JSONP handling http://blog.knownsec.com/2016/04/%E6%98%8E%E6%9E%AA%E6%98%93%E8%BA%B2%E6%9A%97%E7%AE%AD%E9%9A%BE%E9%98%B2-jsonview-0day/
• Another UXSS I privately reported to the maintainer / Google along with a patchset. This issue allowed more-or-less complete Same-Origin policy bypass because it abused an eval() in the content script. The maintainer didn't respond so Google removed the extension.

If someone wants to take ownership of a fork, this patchset should fix all three issues.