Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why does JavaScript's eval need parentheses to eval JSON data?

I've learned (the hard way) that I need to add parentheses around JSON data, like this:

stuff = eval('(' + data_from_the_wire + ')'); // where data_from_the_wire was, for example {"text": "hello"} 

(In Firefox 3, at least).

What's the reason behind this? I hate writing code without understanding what´s behind the hood.

like image 491
Tomo Avatar asked Jun 08 '09 11:06

Tomo


People also ask

What does eval () method do in JSON?

The eval() function in JavaScript is used to take an expression and return the string. As a result, it can be used to convert the string into JSON.

Why JSON eval is not recommended for use?

Malicious code : invoking eval can crash a computer. For example: if you use eval server-side and a mischievous user decides to use an infinite loop as their username. Terribly slow : the JavaScript language is designed to use the full gamut of JavaScript types (numbers, functions, objects, etc)… Not just strings!

Why is eval not safe?

Regarding security, using eval or not will hardly make any difference, First of all, the browser invokes the entire script in a sandbox. Any code that is evil in EVAL, is evil in the browser itself. The attacker or anyone can easily inject a script node in DOM and do anything if he/she can eval anything.

Is using eval a good idea?

It is a possible security risk, it has a different scope of execution, and is quite inefficient, as it creates an entirely new scripting environment for the execution of the code. See here for some more info: eval. It is quite useful, though, and used with moderation can add a lot of good functionality.


2 Answers

eval accepts a sequence of Javascript statements. The Javascript parser interprets the ‘{’ token, occuring within a statement as the start of a block and not the start of an object literal.

When you enclose your literal into parentheses like this: ({ data_from_the_wire }) you are switching the Javascript parser into expression parsing mode. The token ‘{’ inside an expression means the start of an object literal declaration and not a block, and thus Javascript accepts it as an object literal.

like image 117
karim79 Avatar answered Sep 24 '22 15:09

karim79


Putting the parentheses around data_from_the_wire is effectively equivalent to

stuff = eval('return ' + data_from_the_wire + ';'); 

If you were to eval without the parentheses, then the code would be evaluated, and if you did have any named functions inside it those would be defined, but not returned.

Take as an example the ability to call a function just as it han been created:

(function() { alert('whoot'); })() 

Will call the function that has just been defined. The following, however, does not work:

function() { alert('whoot'); }() 

So we see that the parentheses effectively turn then code into an expression that returns, rather than just code to run.

like image 31
Alistair Evans Avatar answered Sep 24 '22 15:09

Alistair Evans