tags:

views:

612

answers:

5
+5  Q: 

JSON.parse vs. eval()

My Spider Sense warns me that using eval() to parse incoming JSON is a bad idea. I'm just wondering if JSON.parse() - which I assume is a part of JavaScript and not a browser-specific function - is more secure.

A: 

JSON is just a subset of JavaScript. But eval evaluates the full JavaScript language and not just the subset that’s JSON.

Gumbo  2009-12-03 22:16:12
Right, I know that. Are you implying that JSON.parse() ONLY evaluates JSON and fails on all other incoming data? Or is it simply a wrapper for:var myObject = eval('(' + responseText + ')');??
Kevin Major  2009-12-03 22:21:27
@Kevin Major: Yes, the natively implemented `JSON.parse` (directly implemented into the JavaScript engine) parses only JSON. But other non-natively implementations use do some sanity checking and then use `eval` for performance reasons.
Gumbo  2009-12-03 22:33:58
+1  A: 

If you parse the JSON with eval, you're allowing the string being parsed to contain absolutely anything, so instead of just being a set of data, you could find yourself executing function calls, or whatever.

Also, JSON's parse accepts an aditional parameter, reviver, that lets you specify how to deal with certain values, such as datetimes (more info and example in the inline documentation here)

David Hedlund  2009-12-03 22:20:06
+9  A: 

You are more vulnerable to attacks if using eval: JSON is a subset of Javascript and json.parse just parses JSON whereas eval would leave the door open to all JS expressions.

jldupont  2009-12-03 22:20:21
+3  A: 

Not all browsers have native JSON support so there will be times where you need to use eval() to the JSON string. Use JSON parser from http://json.org as that handles everything a lot easier for you.

Eval() is an evil but against some browsers its a necessary evil but where you can avoid it, do so!!!!!

AutomatedTester  2009-12-03 22:22:59
+2  A: 

All JSON.parse implementations most likely use eval()

JSON.parse is based on Douglas Crockford's http://www.json.org/json2.js, which uses eval() right there on line 469

// In the third stage we use the eval function to compile the text into a
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// in JavaScript: it can begin a block or an object literal. We wrap the text
// in parens to eliminate the ambiguity.

j = eval('(' + text + ')');

The advantage of JSON.parse is that it verifies the argument is correct JSON syntax.

plodder  2010-04-20 22:38:42
yeah, except that the line right before that verifies that it's a safe and valid string.
nickf  2010-04-20 22:56:09

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript