arbitrary code execution when formating json

[hundan2020]

poc:

(function(){confirm(1)})()

when the web with single js content, it may result code execution. (it shouldn't be executed when broswe a single js file without any html tag).

I discovered the insecure code in https://github.com/zxlie/FeHelper/blob/master/apps/json-format/automatic.js , line 199 to line 206

additionally, I understand the code is compatibilized for bad json content like {a:1}, but as a result, it's insecure.

[zxlie]

非常感谢你的反馈！不过，这个工具是用来进行JSON格式化的，如果本身就不是一个JSON，再好的工具其实也没法格式化出来。如果工具需要升级的话，也是在格式化之前，做一个JSON合法性校验。

[hundan2020]

i got your point, and there is some supplementary explanation

the first poc i sent was executed manually, in fact, i mean, the code will execute automaticly , look at this new poc

{
    "a":(function(){
        confirm(1)
    })()
}

now i open the chrome extension, you can see the source code, and the code was executed.

[zxlie]

Got ~ 我做个兼容吧

[zxlie]

Btw：这种情况，应该用这个工具更加合适：https://www.baidufe.com/fehelper/codebeautify.html

[OS-WS]

Hi, is there a fix for CVE-2019-12966? If so, in what commit?

thanks in advance!