No. That's the whole point of using JSON.parse() instead of eval(). JSON is defined as a non-executing subset of JavaScipt syntax, one that contains only literal expressions. JSON.parse() will only parse valid JSON.
This is why, for instance, there's no native Date format in JSON. Dates in JavaScript require running a constructor -- new Date() -- so they aren't in JSON.
That would concern me too potentially, though if there isn't one already it should be easy to implement a switch that would turn this part of the behaviour off.
It looks very interesting to me from the point of view of dealing with certain data types better (at all, in fact), and handling circular references.
It seems like it theoretically shouldn't be too hard to add the ability to validate that the data is a valid lave output if you're concerned about that. That more or less leaves only the issue of anonymous functions in the data being replaced with malicious functions, but frankly the only reason to be serializing functions is if they're user input, otherwise you should instead be serializing function name/key strings or some other well-defined form of function references and/or arguments.
conradev|10 years ago
curveship|10 years ago
This is why, for instance, there's no native Date format in JSON. Dates in JavaScript require running a constructor -- new Date() -- so they aren't in JSON.
dspillett|10 years ago
It looks very interesting to me from the point of view of dealing with certain data types better (at all, in fact), and handling circular references.
mwhite|10 years ago
CiPHPerCoder|10 years ago
And by ring, I of course mean HMAC.