How is loaded in str var?
Anyway, there is a work around (working here):
var c=',[]flr';
for(var i=0;i<c.length;i++)
eval("str=str.replace(/\\"+c.charAt(i)+"/g,'\\\\"+c.charAt(i)+"');");
What we do is for any char in c evaluate the following code (replacing X with the char):
str=str.replace(/\X/g,'\\X');
Anyway, there is a work around (working here):
var c=',[]flr';
for(var i=0;i<c.length;i++)
eval("str=str.replace(/\\"+c.charAt(i)+"/g,'\\\\"+c.charAt(i)+"');");
What we do is for any char in c evaluate the following code (replacing X with the char):
str=str.replace(/\X/g,'\\X');
Ok, that's an odd (and maybe dangerous) bug at the site which delivers the JSON. If it does not turns the \' to \', maybe it does not turns the ' to \'. So, anything after a ' or a " (depending on how the string is quoted) will be executed on any site that includes that (i.e. your site). Maybe as JSON is a little more secure.