D
Douglas Crockford
I have seen numerous postings about eval() and its evils on this forum.
Using eval on JSON text is one of the very few instances where it is
good to use eval.
The security issue depends on how much you trust the server. If you
are getting data from the same server that issued the page, then using
eval is no less secure than the html it vended.
If you are getting data from a potentially dangerous server that could
steal cookies or send messages to your server as you, then you must
not use eval. You can use JSON.parse instead, which would be safe.
http://www.JSON.org
However, one of our developers is using it in the following way,
which seems like a great use of it.
Page makes Ajax request to ASP.Net web service. Web service does some
data lookup and builds a string representation of a Javascript array
which is then returned to the client. In the ajax callback, call to
eval on the returned string and voila, instant populated data
structure.
Another way to do this would be to pass back xml and walk the xml dom
in the callback, populating an array as you go.
Either way you have to do roughly the same amount of work on the server
(perhaps slightly less with no xml).
I am not worried about the compilation of the eval'd string. Our tests
have been lightning fast. Is the biggest danger in this case x-browser
issues?
Using eval on JSON text is one of the very few instances where it is
good to use eval.
The security issue depends on how much you trust the server. If you
are getting data from the same server that issued the page, then using
eval is no less secure than the html it vended.
If you are getting data from a potentially dangerous server that could
steal cookies or send messages to your server as you, then you must
not use eval. You can use JSON.parse instead, which would be safe.
http://www.JSON.org