top | item 9278767

(no title)

Havvy | 11 years ago

JSON.parse takes a string of "JSON" and turns it into a JS object. It doesn't evaluate the string in a JS context at all, which is what eval() does.

Some people have used eval() to do JSON parsing because JSON is a subset of JS, but if the user has any control into making malformed JSON, they could do so to create JS that can do anything the page can from the context of another user, otherwise known as Cross-Site-Scripting (XSS).

discuss

No comments yet.