Given a string of JSON data, how can you safely turn that string into a JavaScript object?
Obviously you can do this unsafely with something like...
var obj = eval("(" + json + ')');
...but that leaves us vulnerable to the json string containing other code, which it seems very dangerous to simply eval.
Source: Tips4all, CCNA FINAL EXAM
JSON.org has JSON parsers for many languages including 4 different ones for Javascript. I believe most people would consider json2.js their goto implementation.
ReplyDeleteDon't bother with that crap. If you're using jQuery just use:
ReplyDeletejQuery.parseJSON( jsonString );
It's exactly what you're looking for
http://api.jquery.com/jQuery.parseJSON/
Why not just:
ReplyDeleteJSON.parse(jsonString);
I'm not sure about other ways to do it but here's how you do it in Prototype (JSON tutorial).
ReplyDeletenew Ajax.Request('/some_url', {
method:'get',
requestHeaders: {Accept: 'application/json'},
onSuccess: function(transport){
var json = transport.responseText.evalJSON(true);
}
});
Calling evalJSON() with true as the argument sanitizes the incoming string.
If you're using jQuery, you can also just do $.getJSON(url, function(data) { });
ReplyDeleteThen you can do things like data.key1.something, data.key1.something_else, etc.
$.ajax({
ReplyDeleteurl: url,
dataType: 'json',
data: data,
success: callback
});
The callback is passed the returned data, which will be a JavaScript object or array as defined by the JSON structure and parsed using the $.parseJSON() method.
JS Guru Douglas Crockford has written a parseJSON function which you download here
ReplyDeleteI have successfully been using json_sans_eval for a while now. According to its author, it is more secure than json2.js.
ReplyDelete