Menu
I have the following code at hand
var finalCompleteData = eval("("+jsonresponse.responseText+")");
When I used this, I received a security flaw error in Fortify saying that it might lead to Javascript Hacking. So, I changed it to
var finalCompleteData = window.json.parse(jsonresponse.responseText);
For this, Fortify did not show the error. What the window.json.parse method do ?
Can you please explain. Thanks in advance :-)
424
eval will execute any JavaScript code which it is supposed to evaluate, and it evaluates with the highest level of security. This means that if your response text returns non-json code, but valid javascript, the eval will execute it. The sky is the limit with this, it can add new functions, change variables, redirect the page.
With window.json.parse only json will be evaluated, so the risk of rogue code getting entered is much much less.
113
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
