Home/ Questions/Q 278205
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T01:12:05+00:00

From a security perspective, I can see simply doing an ‘eval’ on incoming JSON

  • 0

From a security perspective, I can see simply doing an ‘eval’ on incoming JSON data as a critical mistake. If you got data like below you’d have some problems.

{ someData:((function() { 
    alert("i'm in ur code hackin' ur page"); 
})()) }

I wondered what do most popular Javascript libraries do? Is it a manual parse or simply an eval?

[Edit]

I’m not asking if I should eval/parse – I was asking what methods some of the popular Javascript libraries used (jQuery, Prototype, etc…)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Here’s what the official JavaScript parser does:

    // In the second stage, we run the text against regular expressions that look
// for non-JSON patterns. We are especially concerned with '()' and 'new'
// because they can cause invocation, and '=' because it can cause mutation.
// But just to be safe, we want to reject all unexpected forms.

// We split the second stage into 4 regexp operations in order to work around
// crippling inefficiencies in IE's and Safari's regexp engines. First we
// replace the JSON backslash pairs with '@' (a non-JSON character). Second, we
// replace all simple value tokens with ']' characters. Third, we delete all
// open brackets that follow a colon or comma or that begin the text. Finally,
// we look to see that the remaining characters are only whitespace or ']' or
// ',' or ':' or '{' or '}'. If that is so, then the text is safe for eval.

if (/^[\],:{}\s]*$/.
    test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@').
    replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']').
    replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) {

// In the third stage we use the eval function to compile the text into a
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// in JavaScript: it can begin a block or an object literal. We wrap the text
// in parens to eliminate the ambiguity.

    j = eval('(' + text + ')');

    ...

    With the exception of the built-in JSON parsing support that is in modern browsers, this is what all (library-based) secure JSON parsers do (ie, a regex test before eval).

    Secure libraries (in addition to the official json2 implementation)

    Prototype’s isJSON function.

    Mootools’ JSON.decode function (again, via a regex test before eval).

    Unsecure libraries:

    dojo’s fromJson does not provide secure evaling. Here is their entire implementation (minus comments):

    dojo.fromJson = function(json) {
    return eval("(" + json + ")");
}

    jQuery does not provide secure JSON eval‘ing, but see the official plugin’s secureEvalJSON function (line 143).

    • 0