Alternatives to JavaScript eval() for parsing JSON

Question

Quick Question. Eval in JavaScript is unsafe is it not? I have a JSON object as a string and I need to turn it into an actual object so I can obtain the data:

function PopulateSeriesFields(result) 
{
    data = eval('(' + result + ')');
    var myFakeExample = data.exampleType
}

If it helps I am using the $.ajax method from jQuery.

Thanks

I asked a similar question here: http://stackoverflow.com/questions/646597/eval-is-evil-so-what-should-i-use-instead — Gad, Jun 03 '09 at 14:37

Rene Saarsoo · Accepted Answer · 2009-06-03T18:47:38.943

27

Well, safe or not, when you are using jQuery, you're better to use the $.getJSON() method, not $.ajax():

$.getJSON(url, function(data){
    alert(data.exampleType);
});

eval() is usually considered safe for JSON parsing when you are only communicating with your own server and especially when you use a good JSON library on server side that guarantees that generated JSON will not contain anything nasty.

Even Douglas Crockford, the author of JSON, said that you shouldn't use eval() anywhere in your code, except for parsing JSON. See the corresponding section in his book JavaScript: The Good Parts

edited Jun 03 '09 at 18:47

answered Jun 03 '09 at 14:28

Rene Saarsoo

13,580
8
57
85

1

I was writing the exact same thing +1 – Pablo Fernandez Jun 03 '09 at 14:36
4

Sure, bug getJSON() is shorter to write. – Rene Saarsoo Jun 03 '09 at 16:04
8

except that $.getJSON() doesn't provide nearly the flexibility that $.ajax() does. Particularly in the handling of errors, success/complete events, etc... – Goyuix Sep 28 '10 at 22:49

score 19 · Answer 2 · answered Jun 03 '09 at 14:44

19

You should use JSON and write JSON.parse.

"Manual" parsing is too slow, so JSON.parse implementation from the library checks stuff and then ends up using eval, so it is still unsafe. But, if you are using a newer browser (IE8 or Firefox), the library code is not actually executed. Instead, native browser support kicks in, and then you are safe.

Read more here and here.

answered Jun 03 '09 at 14:44

buti-oxa

11,261
5
35
44

http://code.google.com/p/json-sans-eval/ is a manual parser that aims to be fast and secure. You are right though that the native support should be preferred where available. – Mike Samuel Oct 21 '09 at 18:17

score 6 · Answer 3 · answered Jun 03 '09 at 14:23

If you can't trust the source, then you're correct...eval is unsafe. It could be used to inject code into your pages.

Check out this link for a safer alternative:

JSON in Javascript

The page explains why eval is unsafe and provides a link to a JSON parser at the bottom of the page.

score 5 · Answer 4 · answered Jun 03 '09 at 14:19

5

Unsafe? That depends on if you can trust the data.

If you can trust that the string will be JSON (and won't include, for example, functions) then it is safe.

That said - if you are using jQuery, why are you doing this manually? Use the dataType option to specify that it is JSON and let the library take care of it for you.

answered Jun 03 '09 at 14:19

Quentin

914,110
126
1,211
1,335

2

@J-P: But only if JSON is not available. http://dev.jquery.com/browser/trunk/jquery/src/ajax.js#L504 – Gumbo Jun 03 '09 at 14:38
I have the dataType thing but it still comes back as a string. Hang on, i'll try application/JSON – Damien Jun 03 '09 at 14:39
It seems that JSON is just available as a plugin and not a build-in component of jQuery for those that doesn’t support native JSON. – Gumbo Jun 03 '09 at 14:56

score 4 · Answer 5 · edited May 23 '17 at 12:17

4

If you are using jQuery, as of version 1.4.1 you can use jQuery.parseJSON()

See this answer: Safe json parsing with jquery?

edited May 23 '17 at 12:17

Community

1
1

answered Aug 10 '10 at 16:40

thomh

799
1
5
9

score 3 · Answer 6 · answered Jun 03 '09 at 14:21

3

Using JavaScript’s eval is unsafe. Because JSON is just a subset of JavaScript but JavaScript’s eval allows any valid JavaScript.

Use a real JSON parser like the JSON parser from json.org instead.

answered Jun 03 '09 at 14:21

Gumbo

643,351
109
780
844

score 3 · Answer 7 · answered Jun 03 '09 at 14:21

The alternative to evaluating the code is to parse it manually. It's not as hard as it sounds but it's quite a lot heavier at runtime. You can read about it here.

The important part to note is evaluating JSON is not inherently insecure. As long as you trust the source not to balls things up. That includes making sure that things passed into the JSON encoder are properly escaped (to stop people 2 steps up the stream executing code on your users' machines).

score 2 · Answer 8 · answered Jul 13 '11 at 10:35

2

you can try it like this

var object = new Function("return " + jsonString)()

answered Jul 13 '11 at 10:35

TheBrain

5,528
2
25
26

1

This is simply an eval alias. – Will Morgan Oct 18 '11 at 16:15
1

@WillMorgan: Honestly when I first saw this, my jaw dropped, as i recalled that jQuery uses the exact same lines for JSON evaluation. However on investigating, this is arguably not "eval", see ' http://stackoverflow.com/questions/4599857/is-eval-and-new-function-the-same-thing ' for more information. [Btw i edited the answer to reflect this piece of information, kind of unfair for 'TheBrain' to be down voted for the wrong reasons] – PicoCreator May 05 '12 at 19:23
This doesn't answer the question that was asked. The question asked whether a particular kind of code pattern is safe or not. You don't answer that question. You just say "here's some other code you could use", which doesn't answer the question that was asked. – D.W. Mar 12 '15 at 22:58

score 0 · Answer 9 · answered Mar 09 '12 at 17:05

0

Another great alternative is YUI: http://yuilibrary.com/yui/docs/json/

So your code would be something like:

Y.JSON.parse('{"id": 15, "name": "something"}');

answered Mar 09 '12 at 17:05

Zlatko

18,936
14
70
123

Alternatives to JavaScript eval() for parsing JSON

9 Answers9

Linked