Loading ...
Sorry, an error occurred while loading the content.

163Re: [json] Re: JSON.parse

Expand Messages
  • f3l
    Dec 28, 2005
      On 12/28/05, Douglas Crockford <douglas@...> wrote:
      > > > I have a a new version of JSON.parse in JavaScript. It is vastly
      > > > faster and smaller than the previous version. It uses a single call
      > > > to eval to do the conversion, guarded by a single regExp test to
      > > > assure that it is safe.
      > > To be more robust, shouldn't it catch errors thrown due to malformed
      > > JSON that still passes the regex?
      > The issue is "Is it safe?" The eval function is inherently unsafe. It
      > allows a chunk of script to run with full authority. Some people have
      > been relunctant to use eval to parsing JSON text, and properly so.

      but you still have the bookmarklets issue, right?
      anyone (ok, maybe not anyone, but some ppl) can type javascript:foobar() on
      the address bar and crap all over your web page, right?
      so if it can be eval'd, the user can input it too, so whats the point?

      why not use eval?
      users can eval too!

      also, XML can be very unsafe too, depending on your implementation.

      as time passes by, and more and more ppl use xhr, more and more ppl will
      have fun with not-so-safe implementations, and SQL attacks *will* be the
      order of the day.

      every day.

      but then again, perhaps thats happening right now, so never mind me.

      [Non-text portions of this message have been removed]
    • Show all 7 messages in this topic