Generate placeholder regexp with a uid for safety

Fixes yahoo#5

Author: ericf

index.js

@@ -8,11 +8,12 @@ See the accompanying LICENSE file for terms.
 
 var isRegExp = require('util').isRegExp;
 
-module.exports = serialize;
+// Generate an internal UID to make the regexp pattern harder to guess.
+var UID                 = Math.floor(Math.random() * 0x10000000000).toString(16);
+var PLACE_HOLDER_REGEXP = new RegExp('"@__(FUNCTION|REGEXP)-' + UID + '-(\\d+)__@"', 'g');
 
-var IS_NATIVE_CODE_REGEX = /\{\s*\[native code\]\s*\}/g,
-    PLACE_HOLDER_REGEX   = /"@__(FUNCTION|REGEXP)_(\d+)__@"/g,
-    UNSAFE_CHARS_REGEX   = /[<>\/\u2028\u2029]/g;
+var IS_NATIVE_CODE_REGEXP = /\{\s*\[native code\]\s*\}/g;
+var UNSAFE_CHARS_REGEXP   = /[<>\/\u2028\u2029]/g;
 
 // Mapping of unsafe HTML and invalid JavaScript line terminator chars to their
 // Unicode char counterparts which are safe to use in JavaScript strings.
@@ -31,21 +32,21 @@ var UNICODE_CHARS = {
 // `JSON.stringify()` `space` option to a truthy value.
 var SPACE = 2;
 
-function serialize(obj) {
-    var functions = [],
-        regexps   = [],
-        str;
+module.exports = function serialize(obj) {
+    var functions = [];
+    var regexps   = [];
+    var str;
 
     // Creates a JSON string representation of the object and uses placeholders
     // for functions and regexps (identified by index) which are later
     // replaced.
     str = JSON.stringify(obj, function (key, value) {
         if (typeof value === 'function') {
-            return '@__FUNCTION_' + (functions.push(value) - 1) + '__@';
+            return '@__FUNCTION-' + UID + '-' + (functions.push(value) - 1) + '__@';
         }
 
         if (typeof value === 'object' && isRegExp(value)) {
-            return '@__REGEXP_' + (regexps.push(value) - 1) + '__@';
+            return '@__REGEXP-' + UID + '-' + (regexps.push(value) - 1) + '__@';
         }
 
         return value;
@@ -60,7 +61,7 @@ function serialize(obj) {
     // Replace unsafe HTML and invalid JavaScript line terminator chars with
     // their safe Unicode char counterpart. This _must_ happen before the
     // regexps and functions are serialized and added back to the string.
-    str = str.replace(UNSAFE_CHARS_REGEX, function (unsafeChar) {
+    str = str.replace(UNSAFE_CHARS_REGEXP, function (unsafeChar) {
         return UNICODE_CHARS[unsafeChar];
     });
 
@@ -71,15 +72,15 @@ function serialize(obj) {
     // Replaces all occurrences of function and regexp placeholders in the JSON
     // string with their string representations. If the original value can not
     // be found, then `undefined` is used.
-    return str.replace(PLACE_HOLDER_REGEX, function (match, type, index) {
+    return str.replace(PLACE_HOLDER_REGEXP, function (match, type, valueIndex) {
         if (type === 'REGEXP') {
-            return regexps[index].toString();
+            return regexps[valueIndex].toString();
         }
 
-        var fn           = functions[index],
-            serializedFn = fn.toString();
+        var fn           = functions[valueIndex];
+        var serializedFn = fn.toString();
 
-        if (IS_NATIVE_CODE_REGEX.test(serializedFn)) {
+        if (IS_NATIVE_CODE_REGEXP.test(serializedFn)) {
             throw new TypeError('Serializing native function: ' + fn.name);
         }