Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Evaluating JSON strings - eval() vs. new Function() [duplicate]

Tags:

json

javascript

eval

Possible Duplicate:
jQuery uses (new Function(“return ” + data))(); instead of eval(data); to parse JSON, why?

Given a string which represents a valid JSON string, is there a difference between these two parsing methods:

var str, obj;

str = '{"prop":"value"}';

// method 1:
obj = eval( '(' + str + ')' );

// method 2:
obj = ( new Function( 'return (' + str + ');' ) )();

I noticed that jQuery uses the second method to parse JSON strings (in environments that lack a built-in JSON parser). I wonder why they don't use the first method. Why create a function object and invoke it when you can just use eval()?

Please close as exact duplicate

like image 612
Šime Vidas Avatar asked Nov 22 '11 16:11

Šime Vidas

2 Answers

eval is executed within the scope it was declared. Function generates a new function object with its own scope and returns a reference to that function which can be called.

Take this example:

var x = 123;
var y;
function TestEval()
{
   var y = 1;
   Function("window.alert('Global x: ' + x);")(); //Prints 123
   Function("window.alert('Local y: ' + y);")(); //Prints undefined

   eval("window.alert('Global x: ' + x);"); //Prints 123
   eval("window.alert('Local y: ' + y);"); //Prints 1
}

TestEval();

The first two Function calls will print 123 (the global value of x) and undefined, the global value of y.

The two eval functions will print 123 and 1 (the local value of y). This is because eval has local access to the closure it's being run within. These behaviors (as well as the fact that eval is completely unreliable and inconsistent across many browsers) could be taken advantage of by the jQuery implementation.

Note: Code above tested in Firefox 8, your mileage may vary :)

like image 174
Mike Christensen Avatar answered Sep 21 '22 20:09

Mike Christensen

Using eval is evil because there can be lots of security holes. You are executing code in global scope. Function takes of this differently by executing in its own scope. But one thing Function does better is performance. Looking at this blog shows that Function is almost 2x faster in FF2.

Edit: I am not sure how much more secure it is when you execute document.location = "bad-url", it would still be executed using Function

like image 33
Amir Raminfar Avatar answered Sep 23 '22 20:09

Amir Raminfar
Sign in to Comment

Related questions

put my own image as marker instead of pin mark
Play Mp3 sound clip on mouseclick using jplayer?
How to split JavaScript code into multiple files and use them without including them via script tag in HTML?
What's new for web developers in iOS 5 Safari?
Navigating / scraping hashbang links with javascript (phantomjs)
Fixed html table header while scrolling
Javascript native sort method code
The gmail label chooser conundrum - is there a better way to do it?
How can I turn a string into a Location object? [duplicate]
iBooks JavaScript resources
Determine what caused scroll event to fire up
Can I get the number of the current frame in an HTML5 video?
Encrypting data with ruby decrypting with node
Unsafe JavaScript attempt to access frame with URL
How to setup Eclipse to be warned about trailing comma in JavaScript
Fully Closing a phonegap android app
Cross Domain AJAX preflighting failing Origin check
How do I show nested data into a tree?
Scrubbing HTML5 video
Risks in allowing users to upload HTML/JS files

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!