Comments on: Introduction to JSON (JavaScript Object Notation)

By: Peter

Peter — Thu, 05 Mar 2009 11:07:31 +0000

Crockford's JSON parser will properly parse (not eval!) the JSON string. However, at the time of writing this, jQuery still uses eval [if ( type == "json" ) data = window["eval"]("(" + data + ")");].

By: seangw

seangw — Mon, 02 Mar 2009 21:17:58 +0000

Joshua is correct, you should not directly use “eval(code)” in JS as it is a high security risk. Use an existing JSON parser (jQuery for example).

If the source is absolutely secure (no user entered data, etc.) you can use “eval”, it is very fast doing this directly without parsing. Just know, that any non-trusted content makes that a high risk method.

By: Joshua Kugler

Joshua Kugler — Mon, 02 Mar 2009 21:05:07 +0000

As a rule, do NOT use eval(code) to parse your JSON data. If you ever have user provided content inside JSON encoded data, you could execute malicious javascript in that user’s browser. Taken a look at the JSON parsers at http://json.org/