Skip to main content

Safely turning a JSON string into an object

Image
By User


Given a string of JSON data, how can you safely turn that string into a JavaScript object?



Obviously you can do this unsafely with something like... 





var obj = eval("(" + json + ')');


...but that leaves us vulnerable to the json string containing other code, which it seems very dangerous to simply eval.


Source: Tips4allCCNA FINAL EXAM
Labels:

Comments

  1. UserMay 19, 2012 at 2:59 AM

    JSON.org has JSON parsers for many languages including 4 different ones for Javascript. I believe most people would consider json2.js their goto implementation.

    ReplyDelete
  2. UserMay 19, 2012 at 2:59 AM

    Don't bother with that crap. If you're using jQuery just use:

    jQuery.parseJSON( jsonString );

    It's exactly what you're looking for

    http://api.jquery.com/jQuery.parseJSON/

    ReplyDelete
  3. UserMay 19, 2012 at 2:59 AM

    Why not just:

    JSON.parse(jsonString);

    ReplyDelete
  4. UserMay 19, 2012 at 2:59 AM

    I'm not sure about other ways to do it but here's how you do it in Prototype (JSON tutorial).

    new Ajax.Request('/some_url', {
    method:'get',
    requestHeaders: {Accept: 'application/json'},
    onSuccess: function(transport){
    var json = transport.responseText.evalJSON(true);
    }
    });


    Calling evalJSON() with true as the argument sanitizes the incoming string.

    ReplyDelete
  5. UserMay 19, 2012 at 2:59 AM

    If you're using jQuery, you can also just do $.getJSON(url, function(data) { });

    Then you can do things like data.key1.something, data.key1.something_else, etc.

    ReplyDelete
  6. UserMay 19, 2012 at 2:59 AM

    $.ajax({
    url: url,
    dataType: 'json',
    data: data,
    success: callback
    });



    The callback is passed the returned data, which will be a JavaScript object or array as defined by the JSON structure and parsed using the $.parseJSON() method.

    ReplyDelete
  7. UserMay 19, 2012 at 2:59 AM

    JS Guru Douglas Crockford has written a parseJSON function which you download here

    ReplyDelete
  8. UserMay 19, 2012 at 2:59 AM

    I have successfully been using json_sans_eval for a while now. According to its author, it is more secure than json2.js.

    ReplyDelete

Post a Comment

Popular posts from this blog

Why is this Javascript much *slower* than its jQuery equivalent?

By User
I have a HTML list of about 500 items and a "filter" box above it. I started by using jQuery to filter the list when I typed a letter (timing code added later): $('#filter').keyup( function() { var jqStart = (new Date).getTime(); var search = $(this).val().toLowerCase(); var $list = $('ul.ablist > li'); $list.each( function() { if ( $(this).text().toLowerCase().indexOf(search) === -1 ) $(this).hide(); else $(this).show(); } ); console.log('Time: ' + ((new Date).getTime() - jqStart)); } ); However, there was a couple of seconds delay after typing each letter (particularly the first letter). So I thought it may be slightly quicker if I used plain Javascript (I read recently that jQuery's each function is particularly slow). Here's my JS equivalent: document.getElementById('filter').addEventListener( 'keyup', function () { var jsStart = (new Date).getTime()...
3 comments
Read more

Is it possible to have IF statement in an Echo statement in PHP

By User
Thanks in advance. I did look at the other questions/answers that were similar and didn't find exactly what I was looking for. I'm trying to do this, am I on the right path? echo " <div id='tabs-".$match."'> <textarea id='".$match."' name='".$match."'>". if ($COLUMN_NAME === $match) { echo $FIELD_WITH_COLUMN_NAME; } else { } ."</textarea> <script type='text/javascript'> CKEDITOR.replace( '".$match."' ); </script> </div>"; I am getting the following error message in the browser: Parse error: syntax error, unexpected T_IF Please let me know if this is the right way to go about nesting an IF statement inside an echo. Thank you.
5 comments
Read more