Loading ...
Sorry, an error occurred while loading the content.

164Re: JSON.parse

Expand Messages
  • Douglas Crockford
    Dec 28 5:09 PM
      > but you still have the bookmarklets issue, right?
      > anyone (ok, maybe not anyone, but some ppl) can type
      javascript:foobar() on
      > the address bar and crap all over your web page, right?
      > so if it can be eval'd, the user can input it too, so whats the point?
      > why not use eval?
      > users can eval too!
      > also, XML can be very unsafe too, depending on your implementation.

      The specific problem is that you do not want to give a text from a 3rd
      party data server the same authority as your own scripts. The eval
      function unfortunately gives the visiting script too much authority.
      The regExp in JSON.parse makes that harmless.

      Ultimately, the user has (or should have) the ultimate authority over
      what happens on their own equipment.
    • Show all 7 messages in this topic