-1

I'm making a library, but people who want to use this library can only use JavaScript to add it in. So I thought why not use JSON and AJAX? Can I create functions in JSON?

Remember: This is pretty much raw javascript, just one external library called modpe is used, however programmers don't need to add the library in since it's loaded in an application.

EDIT:

I want to achieve creating an api in JSON. The problem is if I should create functions in JSON.

Jaskaran Singh
  • 3
  • 4
  • if you need to transfer entire functions through the 'Net, then you probably have a design error. That aside, you *can* transfer the source code of the function as a string and then `eval()` it, but ask any decent JavaScript developer whether you *should* do that – they'll say "nope nope nope". – The Paramagnetic Croissant Apr 10 '15 at 14:56
  • 1
    It's unclear to me based on your question what it is exactly you are trying to achieve. Can you please clarify? Generally speaking though, JSON is a data description language/data interchange format, and I think many would agree that you should avoid defining functions in JSON. – rdgd Apr 10 '15 at 14:57
  • The first reply was the best answer to my question. – Jaskaran Singh Apr 10 '15 at 17:32

3 Answers3

1

You cant have functions in JSON, it is a data only format.

You could use pass code back in your JSON and then use eval() but that is a terrible idea for many reasons.

Another option is to provide them with an JS API client you have written that has all the functionality you need.

Community
  • 1
  • 1
Joey Ciechanowicz
  • 3,345
  • 3
  • 24
  • 48
0

The JSON specification is very specific and restrictive, so no you cannot add a function to JSON.

That said, if you control the server, you can send any response you want to, including javascript. There's no reason you couldn't respond with a Javascript object literal that includes a function. Just be aware that most JSON parsers will choke on the result. (But, in that case, you may as well just use a <script> tag to include an external javascript API)

JDB
  • 25,172
  • 5
  • 72
  • 123
-1

Assuming you have control of the JSON, there is no security risk with using eval or the Function constructor to parse function code from a JSON string. You could even design it in a pretty way using eJSON.

The main reason not to do it is performance. Runtime-evaluated code is slower. Other reasons include debugging and caching.

It's just as easy to use JavaScript to insert a <script> element with the src pointing to your library.

Touffy
  • 6,309
  • 22
  • 28
  • Allowing use of eval at all is a security risk. Ensuring **full and exclusive** control over the content of a web page is not nearly as simple as many beginners think. – symcbean Apr 11 '15 at 23:55
  • Yeah, it's even impossible, since users can always change it themselves. I'd be curious to know how you think `eval` can be made to evaluate malicious code when called with a string obtained entirely from a static and trusted source (beside compromising the whole server or MitM attacks, which makes the whole point irrelevant). – Touffy Apr 12 '15 at 05:53
  • That big, long list of qualifications in your comment are **exactly** the things which need to be in place and which are very difficult to ensure in practice. – symcbean Apr 13 '15 at 14:37
  • Long list? I mentionned only two things: a *static* and *trusted* source. That's not hard to achieve at all. Put your JSON in a file, which makes sense here as we're talking about a code library, not data. Hardcode the request URL, which also makes sense. That's it. No more or less secure than using a ` – Touffy Apr 13 '15 at 14:44