JSON parse vs eval

Question

My Spider Sense warns me that using eval   to parse incoming JSON is a bad idea   I m just wondering if JSON parse   - which I assume is a part of JavaScript and not a browser-specific function - is more secure

User · Answer

Not all browsers have native JSON support so there will be times where you need to use eval() to the JSON string. Use JSON parser from http://json.org as that handles everything a lot easier for you.

Eval() is an evil but against some browsers its a necessary evil but where you can avoid it, do so!!!!!

User · Answer

If you parse the JSON with eval  you re allowing the string being parsed to contain absolutely anything  so instead of just being a set of data  you could find yourself executing function calls  or whatever    Also  JSON s parse accepts an aditional parameter  reviver  that lets you specify how to deal with certain values  such as datetimes  more info and example in the inline documentation here

User · Answer

JSON is just a subset of JavaScript  But eval evaluates the full JavaScript language and not just the subset that   s JSON

User · Answer

There is a difference between what JSON parse   and eval   will accept  Try eval on this   var x       shoppingCartName     shopping cart 2000      eval x            won t work JSON parse x      does work   See this example

User · Answer

All JSON parse implementations most likely use eval    JSON parse is based on Douglas Crockford s solution  which uses eval   right there on line 497      In the third stage we use the eval function to compile the text into a    JavaScript structure  The     operator is subject to a syntactic ambiguity    in JavaScript  it can begin a block or an object literal  We wrap the text    in parens to eliminate the ambiguity   j   eval       text           The advantage of JSON parse is that it verifies the argument is correct JSON syntax

User · Answer

You are more vulnerable to attacks if using eval   JSON is a subset of Javascript and json parse just parses JSON whereas eval would leave the door open to all JS expressions

[javascript] JSON.parse vs. eval()

Examples related to javascript

Examples related to json