Menu
I've learned (the hard way) that I need to add parentheses around JSON data, like this:
stuff = eval('(' + data_from_the_wire + ')'); // where data_from_the_wire was, for example {"text": "hello"} (In Firefox 3, at least).
What's the reason behind this? I hate writing code without understanding what´s behind the hood.
491
The eval() function in JavaScript is used to take an expression and return the string. As a result, it can be used to convert the string into JSON.
Malicious code : invoking eval can crash a computer. For example: if you use eval server-side and a mischievous user decides to use an infinite loop as their username. Terribly slow : the JavaScript language is designed to use the full gamut of JavaScript types (numbers, functions, objects, etc)… Not just strings!
Regarding security, using eval or not will hardly make any difference, First of all, the browser invokes the entire script in a sandbox. Any code that is evil in EVAL, is evil in the browser itself. The attacker or anyone can easily inject a script node in DOM and do anything if he/she can eval anything.
It is a possible security risk, it has a different scope of execution, and is quite inefficient, as it creates an entirely new scripting environment for the execution of the code. See here for some more info: eval. It is quite useful, though, and used with moderation can add a lot of good functionality.
eval accepts a sequence of Javascript statements. The Javascript parser interprets the ‘{’ token, occuring within a statement as the start of a block and not the start of an object literal.
When you enclose your literal into parentheses like this: ({ data_from_the_wire }) you are switching the Javascript parser into expression parsing mode. The token ‘{’ inside an expression means the start of an object literal declaration and not a block, and thus Javascript accepts it as an object literal.
117
Putting the parentheses around data_from_the_wire is effectively equivalent to
stuff = eval('return ' + data_from_the_wire + ';'); If you were to eval without the parentheses, then the code would be evaluated, and if you did have any named functions inside it those would be defined, but not returned.
Take as an example the ability to call a function just as it han been created:
(function() { alert('whoot'); })() Will call the function that has just been defined. The following, however, does not work:
function() { alert('whoot'); }() So we see that the parentheses effectively turn then code into an expression that returns, rather than just code to run.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
