0

Just playing around with a JSON array and wanted to know if it was possible to console log from directly within a JSON array. ie:

{ "id": "1", "type": "text", "description": "hello <script>console.log('console this text')</script> I am testing },

In the above example it will display the <script>console.log('console this text')</script> as text rather than as actual html. Any way to make this work to produce the message in console by placing it within the array?

Dave
  • 691
  • 2
  • 11
  • 25
  • Insert it into the DOM. Then it should get parsed and executed. – Sirko Aug 23 '13 at 06:28
  • @Sirko: As in a `document.write`? Can you provide an example answer? Thanks – Dave Aug 23 '13 at 06:34
  • Probably this is what you are looking for http://stackoverflow.com/questions/510779/calling-a-javascript-function-returned-from-an-ajax-response – rAjA Aug 23 '13 at 06:35
  • @RajaM: Thanks but doesn't quite tell me how to do it as per my example above :/ – Dave Aug 23 '13 at 06:38
  • @Dave I'd prefer to use some `
    ` in your document and then set `innerHTML` to the respective content.
     – Sirko Aug 23 '13 at 06:43
  • @Sirko Even then, the only code that would be interpreted would be the stuff between the script tags... the rest would dump visibly on the page. It would be easier just to eval() the entire chunk. – Steve Aug 23 '13 at 06:54
  • @Steve `eval()` would choke on the text parts, which are part of the given string. Making the `
    ` invisible by `display: none;` circumvents that problem.
     – Sirko Aug 23 '13 at 07:41
  • @Sirko True dat. Good enough. – Steve Aug 23 '13 at 08:00

2 Answers2

1

That really depends on what you mean...

In straight JavaScript, you can use object notation in that way, but you really need to wrap it in a function call.

In addition to this, you are mixing javascript and loose text very badly... you really need to let the browser know which one you are using and when.

For example, those script tags? If you are already using JavaScript, then why tell the browser 'here is some script'?

With a little cleaning up:

var myObject = { 
    id: "1", 
    type: "text", 
    description: function(){console.log('console this text')}
}

myObject.description();

This is valid JavaScript and will run perfectly well in a browser if entered into the page this way.

However, I suspect that this isn't what you mean... what you intend to do is to pull this from an AJAX call, for example, and have it run arbitrary script within a browser.

That will not work.

JSON, used this way, is designed as a data format, and does not allow methods to be passed, only properties.

However, there are some uses where this type of behavior could be coaxed: LOOK HERE.

In short, ANY text, JSON or not, could be evaluated on a client system and could potentially run malicious code. This is very similar to security issues in PHP where poor programming practice allows the use eval and other exploits to run client fed code on the server.

This is why so many websites are neurotic in their scrubbing of any data which has been fed by an arbitrary user... scrubbing html tags and javascript code out of user comments, for example.

Steve
  • 580
  • 7
  • 14
  • 1
    Thanks Steve, that makes perfect sense now! – Dave Aug 23 '13 at 06:43
  • Can you update your answer to show text before and after the function in "description"? – Dave Aug 23 '13 at 06:46
  • @Dave You mean to dump text onto the web page? No... not without a document.write() or similar. In this case, it is pure JavaScript, so raw text is not displayed as it would be in HTML, its instead handled as an error. Imagine the above code placed between your script tags, for example, or loaded into an external script file. It isn't interpreted as HTML at all. – Steve Aug 23 '13 at 06:51
0

You can try using a self invoking function.

var obj = {
'a' : '1',
'b' : '2',
'c' : (function(){console.log('3')})()
}