As far as I know it is considered bad practice to <code>eval()</code> JSON objects in JavaScript, because of security. I can understand this concern if the JSON comes from another server. But if the JSON is provided by my own server and is created using PHP's <code>json_encode</code> (let us assume it is not buggy), is it legitimate to simply use <code>eval()</code> to read the JSON in JS or are there any security problem I currently can't think of? I really don't want to deal with dynamically loading a JSON parser and would be glad to simply use <code>eval()</code>. PS: I will obviously use the native <code>JSON</code> object if it is available, but want to fall back to <code>eval()</code> for IE/Opera.

There are a number of ways that your security may be compromised. <ul> <li>Man in the middle attacks could theoretically alter the contents of data being delivered to the client.</li> <li>Your server traffic could be intercepted elsewhere and different content could be provided (not quite the same as a MIM attack)</li> <li>Your server could be compromised and the data source could be tampered with.</li> </ul> and these are just the simple examples. XSS is nasty. "an ounce of prevention is worth a pound of cure"

Why not eval() JSON?

Tags:

json

javascript

eval

As far as I know it is considered bad practice to eval() JSON objects in JavaScript, because of security. I can understand this concern if the JSON comes from another server.

But if the JSON is provided by my own server and is created using PHP's json_encode (let us assume it is not buggy), is it legitimate to simply use eval() to read the JSON in JS or are there any security problem I currently can't think of?

I really don't want to deal with dynamically loading a JSON parser and would be glad to simply use eval().

PS: I will obviously use the native JSON object if it is available, but want to fall back to eval() for IE/Opera.

973

asked Nov 24 '10 19:11

NikiC

2 Answers

In your scenario, the question becomes, where is PHP getting the javascript to execute from? Is that channel secure, and free from potential user manipulation? What if you don't control that channel directly?

196

answered Sep 21 '22 07:09

Matthew Vines

There are a number of ways that your security may be compromised.

Man in the middle attacks could theoretically alter the contents of data being delivered to the client.
Your server traffic could be intercepted elsewhere and different content could be provided (not quite the same as a MIM attack)
Your server could be compromised and the data source could be tampered with.

and these are just the simple examples. XSS is nasty.

"an ounce of prevention is worth a pound of cure"

answered Sep 19 '22 07:09

zzzzBov

Related questions
                            
                                Access JavaScript variables with Selenium IDE
                            
                                How can I use jQuery to style /parts/ of all instances of a specific word?
                            
                                Dynamically Including jQuery using JavaScript if it's not already present
                            
                                Does anyone know of a spell checker plugin for ckeditor that uses aspell or a similar local service instead of spellchecker.net? [closed]
                            
                                Check if a file exist in the Server in ASP.NET
                            
                                Classic ASP server-side JSON library
                            
                                How to sort an array of objects based on a the length of a nested array in javascript
                            
                                How can I monitor the rendering time in a browser?
                            
                                JQuery UI tabs: How do I navigate directly to a tab from another page?
                            
                                Are google chrome extension "content" scripts sandboxed?
                            
                                javascript var declaration within loop
                            
                                Progress Bar Filling - jQuery Implementation
                            
                                Scrolling to the top of a page in a gwt application
                            
                                Where are all the simple functions gone in WebGL?
                            
                                Is it possible to sanitize Javascript code?
                            
                                Can Chrome extension content scripts access window.opener?
                            
                                Adding jqGrid Custom Navigation to Top Toolbar
                            
                                How to install eclipse for java developer,c/c++ developer, php developer at the same time?
                            
                                Play! Framework: Best practice to use URLs in separate JavaScript files?
                            
                                input type="submit" instead of input type="button" with AJAX?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With