JSON.parse vs. eval()
My Spider Sense warns me that using eval()
to parse incoming JSON is a bad idea. I'm just wondering if JSON.parse()
- which I assume is a part of JavaScript and not a browser-specific function - is more secure.
You are more vulnerable to attacks if using eval
: JSON is a subset of Javascript and json.parse just parses JSON whereas eval
would leave the door open to all JS expressions.
All JSON.parse
implementations most likely use eval()
JSON.parse
is based on Douglas Crockford's solution, which uses eval()
right there on line 497.
// In the third stage we use the eval function to compile the text into a
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// in JavaScript: it can begin a block or an object literal. We wrap the text
// in parens to eliminate the ambiguity.
j = eval('(' + text + ')');
The advantage of JSON.parse
is that it verifies the argument is correct JSON syntax.
Not all browsers have native JSON support so there will be times where you need to use eval()
to the JSON string. Use JSON parser from http://json.org as that handles everything a lot easier for you.
Eval()
is an evil but against some browsers its a necessary evil but where you can avoid it, do so!!!!!
There is a difference between what JSON.parse() and eval() will accept. Try eval on this:
var x = "{\"shoppingCartName\":\"shopping_cart:2000\"}"
eval(x) //won't work
JSON.parse(x) //does work
See this example.
If you parse the JSON with eval
, you're allowing the string being parsed to contain absolutely anything, so instead of just being a set of data, you could find yourself executing function calls, or whatever.
Also, JSON's parse
accepts an aditional parameter, reviver, that lets you specify how to deal with certain values, such as datetimes (more info and example in the inline documentation here)