Douglas Wilson

Sure, but there are many other issues. For example, even `constructor` should arguably be sanitized out, as modules similar to `Object.assign` would pollute the prototype with that property name: https://hackerone.com/reports/430291...

Right, I get that, but doesn't requiring every module everywhere that does JSON.parse to add this seem like the wrong answer? It seems the root issue here needs to be...

If this module is unsafe without this change, the Javascript Fetch API had the exact same issue: https://developer.mozilla.org/en-US/docs/Web/API/Body/json

Hi @rgrove I'm not necessarily hesitant to add something like this, but I would like to better understand the actual goal to protect here. It would be one thing if...

> I think it would be better to have the interface This module should be the interface. `json` and `urlencoded` should be the separable libs that use this module ;)

i.am.machine :DDD

This is actually nearly done, as it was intended for the goal of bringing body-parser back into express core. Out of curiosity, what parser were you planning to build that...

> xml lol. Somehow I knew that was the answer ;) Currently the best you can do is to use `bodyParser.text` and then feed the text into a XML parser.

The reason why I had a feeling is because I use this module to parse XML all the time, but of course using text + parser requires the request body...

> Even created express-json5 based on bodyParser. Though it looks like as body-parser is currently, it can be significantly simplified by wrapping `bodyParser.text` ;)