From a security perspective, I can see simply doing an 'eval' on incoming JSON data as a critical mistake. If you got data like below you'd have some problems.
{ someData:((function() {
alert("i'm in ur code hackin' ur page");
})()) }
I wondered what do most popular Javascript libraries do? Is it a manual parse or simply an eval?
[Edit]
I'm not asking if I should eval/parse - I was asking what methods some of the popular Javascript libraries used (jQuery, Prototype, etc...)
use evalJSON() instead?
As far as I know this basically calls eval() after some sanitation checks.
You should absolutely parse it! JSON is just a subset of JavaScript. But eval would evaluate any JavaScript code and not that specific subset like a JSON parser would.
Here's what the official JavaScript parser does:
// In the second stage, we run the text against regular expressions that look
// for non-JSON patterns. We are especially concerned with '()' and 'new'
// because they can cause invocation, and '=' because it can cause mutation.
// But just to be safe, we want to reject all unexpected forms.
// We split the second stage into 4 regexp operations in order to work around
// crippling inefficiencies in IE's and Safari's regexp engines. First we
// replace the JSON backslash pairs with '@' (a non-JSON character). Second, we
// replace all simple value tokens with ']' characters. Third, we delete all
// open brackets that follow a colon or comma or that begin the text. Finally,
// we look to see that the remaining characters are only whitespace or ']' or
// ',' or ':' or '{' or '}'. If that is so, then the text is safe for eval.
if (/^[\],:{}\s]*$/.
test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@').
replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']').
replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) {
// In the third stage we use the eval function to compile the text into a
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// in JavaScript: it can begin a block or an object literal. We wrap the text
// in parens to eliminate the ambiguity.
j = eval('(' + text + ')');
...
With the exception of the built-in JSON parsing support that is in IE8 and FF 3.5, this is what all (library-based) secure JSON parsers do (ie, a regex test before eval).
Secure libraries (in addition to the official json2 implementation)
Prototype's isJSON function.
Mootools' JSON.decode function (again, via a regex test before eval).
Unsecure libraries:
dojo's fromJson does not provide secure evaling. Here is their entire implementation (minus comments):
dojo.fromJson = function(json) {
return eval("(" + json + ")");
}
jQuery does not provide secure JSON eval'ing, but see the official plugin's secureEvalJSON function (line 143).
From http://code.google.com/p/json-sans-eval/ :
A fast and secure JSON parser in JavaScript?
This JSON parser does not attempt to validate the JSON, so may return a result given a syntactically invalid input, but does not use eval so is deterministic and is guaranteed not to modify any object other than its return value.
There are a number of JSON parsers in JavaScript? at json.org. This implementation should be used whenever security is a concern (when JSON may come from an untrusted source), speed is a concern, and erroring on malformed JSON is not a concern.
This implementation
- Pros Fast, secure
- Cons Not validating
json_parse.js
- Pros Validating, secure
- Cons Slow
json2.js
- Pros Fast, some validation
- Cons Potentially insecure
json2.js is very fast, but potentially insecure since it calls eval to parse JSON data, so an attacker might be able to supply strange JS that looks like JSON, but that executes arbitrary javascript.
If you do have to use json2.js with untrusted data, make sure you keep your version of json2.js up to date so that you get patches as they're released.