javascript - JSON Data - Parsed Or 'Eval'ed - Stack Overflow

admin管理员组

文章数量:1325961

From a security perspective, I can see simply doing an 'eval' on ining JSON data as a critical mistake. If you got data like below you'd have some problems.

{ someData:((function() { 
    alert("i'm in ur code hackin' ur page"); 
})()) }

I wondered what do most popular Javascript libraries do? Is it a manual parse or simply an eval?

[Edit]

I'm not asking if I should eval/parse - I was asking what methods some of the popular Javascript libraries used (jQuery, Prototype, etc...)

From a security perspective, I can see simply doing an 'eval' on ining JSON data as a critical mistake. If you got data like below you'd have some problems.

{ someData:((function() { 
    alert("i'm in ur code hackin' ur page"); 
})()) }

I wondered what do most popular Javascript libraries do? Is it a manual parse or simply an eval?

[Edit]

I'm not asking if I should eval/parse - I was asking what methods some of the popular Javascript libraries used (jQuery, Prototype, etc...)

• javascript
• security
• json

Share Improve this question Follow edited Jul 17, 2009 at 14:00 hugoware asked Jul 17, 2009 at 13:51 hugowarehugoware 36.4k2424 gold badges6262 silver badges7171 bronze badges

Add a ment  | 

4 Answers 4

Sorted by: Reset to default 7

Here's what the official JavaScript parser does:

// In the second stage, we run the text against regular expressions that look
// for non-JSON patterns. We are especially concerned with '()' and 'new'
// because they can cause invocation, and '=' because it can cause mutation.
// But just to be safe, we want to reject all unexpected forms.

// We split the second stage into 4 regexp operations in order to work around
// crippling inefficiencies in IE's and Safari's regexp engines. First we
// replace the JSON backslash pairs with '@' (a non-JSON character). Second, we
// replace all simple value tokens with ']' characters. Third, we delete all
// open brackets that follow a colon or ma or that begin the text. Finally,
// we look to see that the remaining characters are only whitespace or ']' or
// ',' or ':' or '{' or '}'. If that is so, then the text is safe for eval.

if (/^[\],:{}\s]*$/.
    test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@').
    replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']').
    replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) {

// In the third stage we use the eval function to pile the text into a
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// in JavaScript: it can begin a block or an object literal. We wrap the text
// in parens to eliminate the ambiguity.

    j = eval('(' + text + ')');

    ...

With the exception of the built-in JSON parsing support that is in modern browsers, this is what all (library-based) secure JSON parsers do (ie, a regex test before eval).

Secure libraries (in addition to the official json2 implementation)

Prototype's isJSON function.

Mootools' JSON.decode function (again, via a regex test before eval).

Unsecure libraries:

dojo's fromJson does not provide secure evaling. Here is their entire implementation (minus ments):

dojo.fromJson = function(json) {
    return eval("(" + json + ")");
}

jQuery does not provide secure JSON eval'ing, but see the official plugin's secureEvalJSON function (line 143).

You should absolutely parse it! JSON is just a subset of JavaScript. But eval would evaluate any JavaScript code and not that specific subset like a JSON parser would.

use evalJSON() instead?
As far as I know this basically calls eval() after some sanitation checks.

From http://code.google./p/json-sans-eval/ :

A fast and secure JSON parser in JavaScript?

This JSON parser does not attempt to validate the JSON, so may return a result given a syntactically invalid input, but does not use eval so is deterministic and is guaranteed not to modify any object other than its return value.

There are a number of JSON parsers in JavaScript? at json. This implementation should be used whenever security is a concern (when JSON may e from an untrusted source), speed is a concern, and erroring on malformed JSON is not a concern.

This implementation

• Pros Fast, secure
• Cons Not validating

json_parse.js

• Pros Validating, secure
• Cons Slow

json2.js

• Pros Fast, some validation
• Cons Potentially insecure

json2.js is very fast, but potentially insecure since it calls eval to parse JSON data, so an attacker might be able to supply strange JS that looks like JSON, but that executes arbitrary javascript.

If you do have to use json2.js with untrusted data, make sure you keep your version of json2.js up to date so that you get patches as they're released.

本文标签： javascriptJSON DataParsed Or 39Eval39edStack Overflow