Is Eval Evil for Ajax Responses

[Douglas Crockford]

I have seen numerous postings about eval() and its evils on this forum.

However, one of our developers is using it in the following way,
which seems like a great use of it.

Page makes Ajax request to ASP.Net web service. Web service does some
data lookup and builds a string representation of a Javascript array
which is then returned to the client. In the ajax callback, call to
eval on the returned string and voila, instant populated data
structure.

Another way to do this would be to pass back xml and walk the xml dom
in the callback, populating an array as you go.

Either way you have to do roughly the same amount of work on the server
(perhaps slightly less with no xml).

I am not worried about the compilation of the eval'd string. Our tests
have been lightning fast. Is the biggest danger in this case x-browser
issues?

Using eval on JSON text is one of the very few instances where it is
good to use eval.

The security issue depends on how much you trust the server. If you
are getting data from the same server that issued the page, then using
eval is no less secure than the html it vended.

If you are getting data from a potentially dangerous server that could
steal cookies or send messages to your server as you, then you must
not use eval. You can use JSON.parse instead, which would be safe.

http://www.JSON.org

 

[matty]

Hi there:

I have seen numerous postings about eval() and its evils on this forum.
However, one of our developers is using it in the following way,
which seems like a great use of it.

Google Earth uses eval to execute a (large) piece of javascript code
that is returned from the XMLHttpRequest. It's great and works wonders.
Google is Evil though

 

[Matt Silberstein]

On Thu, 17 Nov 2005 14:28:33 +0100, in comp.lang.javascript , aundro
<[email protected]> in

[snip]

Actually, I was thinking of creating objects whose
properties/structure you can't 'guess' on the client-side; those can be
pretty complex. In that case, using an eval might probably become more
efficient than parsing strings.

Isn't one of the points of XML that the data self-describes? That is,
by getting an XML response and then parsing as such you figure out the
structure. This allows a consistent approach to a variety of data
structures and allows "none" (which probably means minimal) changes to
the client side if the data structure is changed on the server side.

(I am coming at this with a large programming background, but little
specific experience with these technologies. I will have insights that
are both interesting and new. Unfortunately the new insights won't be
interesting and the interesting insights won't be new.)

[snip]

--
Matt Silberstein

Do something today about the Darfur Genocide

http://www.beawitness.org
http://www.darfurgenocide.org
http://www.savedarfur.org

"Darfur: A Genocide We can Stop"