Skip to main content

Safely turning a JSON string into an object


Given a string of JSON data, how can you safely turn that string into a JavaScript object?



Obviously you can do this unsafely with something like...




var obj = eval("(" + json + ')');



...but that leaves us vulnerable to the json string containing other code, which it seems very dangerous to simply eval.


Source: Tips4allCCNA FINAL EXAM

Comments

  1. JSON.org has JSON parsers for many languages including 4 different ones for Javascript. I believe most people would consider json2.js their goto implementation.

    ReplyDelete
  2. Don't bother with that crap. If you're using jQuery just use:

    jQuery.parseJSON( jsonString );

    It's exactly what you're looking for

    http://api.jquery.com/jQuery.parseJSON/

    ReplyDelete
  3. Why not just:

    JSON.parse(jsonString);

    ReplyDelete
  4. I'm not sure about other ways to do it but here's how you do it in Prototype (JSON tutorial).

    new Ajax.Request('/some_url', {
    method:'get',
    requestHeaders: {Accept: 'application/json'},
    onSuccess: function(transport){
    var json = transport.responseText.evalJSON(true);
    }
    });


    Calling evalJSON() with true as the argument sanitizes the incoming string.

    ReplyDelete
  5. If you're using jQuery, you can also just do $.getJSON(url, function(data) { });

    Then you can do things like data.key1.something, data.key1.something_else, etc.

    ReplyDelete
  6. $.ajax({
    url: url,
    dataType: 'json',
    data: data,
    success: callback
    });



    The callback is passed the returned data, which will be a JavaScript object or array as defined by the JSON structure and parsed using the $.parseJSON() method.

    ReplyDelete
  7. JS Guru Douglas Crockford has written a parseJSON function which you download here

    ReplyDelete
  8. I have successfully been using json_sans_eval for a while now. According to its author, it is more secure than json2.js.

    ReplyDelete

Post a Comment

Popular posts from this blog

Slow Android emulator

I have a 2.67 GHz Celeron processor, 1.21 GB of RAM on a x86 Windows XP Professional machine. My understanding is that the Android emulator should start fairly quickly on such a machine, but for me it does not. I have followed all instructions in setting up the IDE, SDKs, JDKs and such and have had some success in staring the emulator quickly but is very particulary. How can I, if possible, fix this problem?