feat: unsafe string format (#686)

Author: nigrosimone

README.md

@@ -630,6 +630,24 @@ integer-like values, such as:
 - `'2e4'` - _note this will be converted to `2`, not `20000`_
 - `1.5` - _note this will be converted to `1`_
 
+<a name="unsafe"></a>
+#### Unsafe string
+By default, the library escapes all strings. With the 'unsafe' format, the string isn't escaped. This has a potentially dangerous security issue. You can use it only if you are sure that your data doesn't need escaping. The advantage is a significant performance improvement.
+
+Example:
+```javascript
+const stringify = fastJson({
+  title: 'Example Schema',
+  type: 'object',
+  properties: {
+    'code': {
+	    type: 'string',
+	    format 'unsafe'
+    }
+  }
+})
+```
+
 ##### Benchmarks
 
 For reference, here goes some benchmarks for comparison over the three

benchmark/bench.js

@@ -47,6 +47,14 @@ const benchmarks = [
     },
     input: 'hello world'
   },
+  {
+    name: 'unsafe short string',
+    schema: {
+      type: 'string',
+      format: 'unsafe'
+    },
+    input: 'hello world'
+  },
   {
     name: 'short string with double quote',
     schema: {
@@ -61,13 +69,29 @@ const benchmarks = [
     },
     input: longSimpleString
   },
+  {
+    name: 'unsafe long string without double quotes',
+    schema: {
+      type: 'string',
+      format: 'unsafe'
+    },
+    input: longSimpleString
+  },
   {
     name: 'long string',
     schema: {
       type: 'string'
     },
     input: longString
   },
+  {
+    name: 'unsafe long string',
+    schema: {
+      type: 'string',
+      format: 'unsafe'
+    },
+    input: longString
+  },
   {
     name: 'number',
     schema: {

index.js

@@ -725,6 +725,8 @@ function buildSingleTypeSerializer (context, location, input) {
         return `json += serializer.asDate(${input})`
       } else if (schema.format === 'time') {
         return `json += serializer.asTime(${input})`
+      } else if (schema.format === 'unsafe') {
+        return `json += serializer.asUnsafeString(${input})`
       } else {
         return `json += serializer.asString(${input})`
       }

lib/serializer.js

@@ -122,6 +122,10 @@ module.exports = class Serializer {
     }
   }
 
+  asUnsafeString (str) {
+    return '"' + str + '"'
+  }
+
   // magically escape strings for json
   // relying on their charCodeAt
   // everything below 32 needs JSON.stringify()

test/basic.test.js

@@ -18,6 +18,12 @@ function buildTest (schema, toStringify) {
   })
 }
 
+buildTest({
+  title: 'string',
+  type: 'string',
+  format: 'unsafe'
+}, 'hello world')
+
 buildTest({
   title: 'basic',
   type: 'object',

test/string.test.js

@@ -48,3 +48,37 @@ test('serialize long string', (t) => {
   t.equal(output, `"${new Array(2e4).fill('\\u0000').join('')}"`)
   t.equal(JSON.parse(output), input)
 })
+
+test('unsafe string', (t) => {
+  t.plan(2)
+
+  const schema = {
+    type: 'string',
+    format: 'unsafe'
+  }
+
+  const input = 'abcd'
+  const stringify = build(schema)
+  const output = stringify(input)
+
+  t.equal(output, `"${input}"`)
+  t.equal(JSON.parse(output), input)
+})
+
+test('unsafe unescaped string', (t) => {
+  t.plan(2)
+
+  const schema = {
+    type: 'string',
+    format: 'unsafe'
+  }
+
+  const input = 'abcd "abcd"'
+  const stringify = build(schema)
+  const output = stringify(input)
+
+  t.equal(output, `"${input}"`)
+  t.throws(function () {
+    JSON.parse(output)
+  })
+})