Bug 1550476 - Replace jsol library by json5 to avoid eval-like usage r=miker

Depends on D38620

json5 is a much bigger library than JSOL but it doesn't rely on any eval-like code.
It should provide similar features, and testing locally it seems to work as expected.

Differential Revision: https://phabricator.services.mozilla.com/D38515

--HG--
extra : moz-landing-system : lando

devtools/client/shared/vendor/JSON5_LICENSE

@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2012-2018 Aseem Kishore, and [others].
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+[others]: https://github.com/json5/json5/contributors

devtools/client/shared/vendor/JSON5_UPGRADING.md

@@ -0,0 +1,36 @@
+[//]: # (
+  This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+)
+
+# Upgrading json5
+
+## Getting the Source
+
+```bash
+git clone https://github.com/json5/json5
+cd json5
+git checkout v2.1.0 # checkout the right version tag
+```
+
+## Building
+
+```bash
+npm install
+npm run build
+cp dist/index.js <gecko-dev>/devtools/client/shared/vendor/json5.js
+```
+
+## Patching json5
+
+- open `json5.js`
+- Add the version number to the top of the file:
+  ```
+  /**
+   * json5 v2.1.0
+   */
+  ```
+- Replace instances of `Function('return this')()` with `globalThis`. See Bug 1473549.
+
+## Update the version:
+
+The current version is 2.1.0. Update this version number everywhere in this file.

devtools/client/shared/vendor/jsol.js

@@ -1,97 +0,0 @@
-/*
- * Copyright 2010, Google Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- *     * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *     * Redistributions in binary form must reproduce the above
- * copyright notice, this list of conditions and the following disclaimer
- * in the documentation and/or other materials provided with the
- * distribution.
- *     * Neither the name of Google Inc. nor the names of its
- * contributors may be used to endorse or promote products derived from
- * this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-(function () {
-  /**
-   JSOL stands for JavaScript Object Literal which is a string representing
-   an object in JavaScript syntax.
-
-   For example:
-
-   {foo:"bar"} is equivalent to {"foo":"bar"} in JavaScript. Both are valid JSOL.
-
-   Note that {"foo":"bar"} is proper JSON[1] therefore you can use one of the many
-   JSON parsers out there like json2.js[2] or even the native browser's JSON parser,
-   if available.
-
-   However, {foo:"bar"} is NOT proper JSON but valid Javascript syntax for
-   representing an object with one key, "foo" and its value, "bar".
-   Using a JSON parser is not an option since this is NOT proper JSON.
-
-   You can use JSOL.parse to safely parse any string that reprsents a JavaScript Object Literal.
-   JSOL.parse will throw an Invalid JSOL exception on function calls, function declarations and variable references.
-
-   Examples:
-
-   JSOL.parse('{foo:"bar"}');  // valid
-
-   JSOL.parse('{evil:(function(){alert("I\'m evil");})()}');  // invalid function calls
-
-   JSOL.parse('{fn:function() { }}'); // invalid function declarations
-
-   var bar = "bar";
-   JSOL.parse('{foo:bar}');  // invalid variable references
-
-   [1] http://www.json.org
-   [2] http://www.json.org/json2.js
-   */
-  var trim =  /^(\s|\u00A0)+|(\s|\u00A0)+$/g; // Used for trimming whitespace
-  var JSOL = {
-    parse: function(text) {
-      // make sure text is a "string"
-      if (typeof text !== "string" || !text) {
-        return null;
-      }
-      // Make sure leading/trailing whitespace is removed
-      text = text.replace(trim, "");
-      // Make sure the incoming text is actual JSOL (or Javascript Object Literal)
-      // Logic borrowed from http://json.org/json2.js
-      if ( /^[\],:{}\s]*$/.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@")
-           .replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, "]")
-           .replace(/(?:^|:|,)(?:\s*\[)+/g, ":")
-           /** everything up to this point is json2.js **/
-           /** this is the 5th stage where it accepts unquoted keys **/
-           .replace(/\w*\s*\:/g, ":")) ) {
-        return (new Function("return " + text))();
-      }
-      else {
-        throw("Invalid JSOL: " + text);
-      }
-    }
-  };
-
-  if (typeof define === "function" && define.amd) {
-    define(JSOL);
-  } else if (typeof module === "object" && module.exports) {
-    module.exports = JSOL;
-  } else {
-    this.JSOL = JSOL;
-  }
-})();

devtools/client/shared/vendor/moz.build

@@ -12,7 +12,7 @@ DevToolsModules(
     'fluent-react.js',
     'fluent.js',
     'immutable.js',
-    'jsol.js',
+    'json5.js',
     'jszip.js',
     'lodash.js',
     'react-dom-factories.js',

devtools/client/storage/ui.js

@@ -8,7 +8,6 @@
 const EventEmitter = require("devtools/shared/event-emitter");
 const { LocalizationHelper, ELLIPSIS } = require("devtools/shared/l10n");
 const KeyShortcuts = require("devtools/client/shared/key-shortcuts");
-const JSOL = require("devtools/client/shared/vendor/jsol");
 const { KeyCodes } = require("devtools/client/shared/keycodes");
 const { getUnicodeHostname } = require("devtools/client/shared/unicode-url");
 
@@ -40,6 +39,7 @@ loader.lazyRequireGetter(
   "validator",
   "devtools/client/shared/vendor/stringvalidator/validator"
 );
+loader.lazyRequireGetter(this, "JSON5", "devtools/client/shared/vendor/json5");
 
 /**
  * Localization convenience methods.
@@ -955,7 +955,7 @@ class StorageUI {
 
     let obj = null;
     try {
-      obj = JSOL.parse(value);
+      obj = JSON5.parse(value);
     } catch (ex) {
       obj = null;
     }