tinfanide Posted November 25, 2011 Share Posted November 25, 2011 I've used eval() to turn a JSON array into an object.But people say eval() has security issues. What particular are the issues? Turning scripts as well into JS objects?And how about stringify()? How can I make it work in IE7? Link to comment Share on other sites More sharing options...
justsomeguy Posted November 25, 2011 Share Posted November 25, 2011 eval executes code. That's fine if the only code to execute is code that defines an object structure, but it's not so OK if someone injected malicious code for all of your users to execute. JSON libraries include a method called parse which validates the data first to ensure it only contains a data structure and not arbitrary code to execute. There's a JSON parser here which does not use eval, but it also doesn't validate to make sure the data structure is valid. That may result in a browser error if the data structure isn't formed correctly: http://code.google.com/p/json-sans-eval/ There's another library here which does do validation, but also uses eval. It also includes a stringify method. https://github.com/douglascrockford/JSON-js/blob/master/json2.js Link to comment Share on other sites More sharing options...
thescientist Posted November 25, 2011 Share Posted November 25, 2011 using jquery will validate and parse the data for you too. Link to comment Share on other sites More sharing options...
tinfanide Posted November 26, 2011 Author Share Posted November 26, 2011 eval executes code. That's fine if the only code to execute is code that defines an object structure, but it's not so OK if someone injected malicious code for all of your users to execute. JSON libraries include a method called parse which validates the data first to ensure it only contains a data structure and not arbitrary code to execute. There's a JSON parser here which does not use eval, but it also doesn't validate to make sure the data structure is valid. That may result in a browser error if the data structure isn't formed correctly: http://code.google.c...json-sans-eval/ There's another library here which does do validation, but also uses eval. It also includes a stringify method. https://github.com/d...master/json2.js Yes, thank you for your link. Indeed I've found the similar path to the json.js file but the thing was that the file seemed to be weird, containing only the alert method inside. I thought it was a virus... Didn't know why. using jquery will validate and parse the data for you too. Yes, jQuery is another option. Link to comment Share on other sites More sharing options...
tinfanide Posted November 26, 2011 Author Share Posted November 26, 2011 And it seems parsing JSON objects not possible in IE7. I've searched online for solutions and they all pointed to json2.js,but I've included the file and it just does not work in IE7. It returns"SCRIPT1028: Expected identifier, string or number" (IE7 Console) My demo:http://lifelearning.x10.mx/jsonTEST.html Please have a look.If JSON is not that popular on the web, I'd use XML rather. Link to comment Share on other sites More sharing options...
thescientist Posted November 26, 2011 Share Posted November 26, 2011 JSON is in fact quite popular on the web and it is pretty close to outpacing XML, or at least in my opinion it should. The ease of its use for transporting data between languages is especially handy since for the sheer fact that it requires minimal markup to "explain" its content, unlike XML. Did you try removing the comma after "20"? You don't need it there. I've had no problems using JSON in any browser for any task. If it was that difficult to work with, Javascript would certainly not be as fluent on the web as it is. Link to comment Share on other sites More sharing options...
justsomeguy Posted November 27, 2011 Share Posted November 27, 2011 IE7 and lower will show an error on hanging commas like that. IE8 and other browsers will ignore them. Link to comment Share on other sites More sharing options...
tinfanide Posted November 30, 2011 Author Share Posted November 30, 2011 eval executes code. That's fine if the only code to execute is code that defines an object structure, but it's not so OK if someone injected malicious code for all of your users to execute. JSON libraries include a method called parse which validates the data first to ensure it only contains a data structure and not arbitrary code to execute. There's a JSON parser here which does not use eval, but it also doesn't validate to make sure the data structure is valid. That may result in a browser error if the data structure isn't formed correctly: http://code.google.c...json-sans-eval/ There's another library here which does do validation, but also uses eval. It also includes a stringify method. https://github.com/d...master/json2.js Yes, I used the first one from Google and worked. But just wonderif I must use the syntax var jsonObj = '{"name": "property"}';// how about this:var jsonObj = {name: ""} <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Untitled Document</title><script type="text/javascript" src="json-lib/json_parse.js"></script><script>var obj = {name: "Tin", "######": "Male","age": 20};var json = JSON.parse(obj);document.write(json.name);document.write("<br />");</script></head><body></body></html> I tried to use the original one (json_parse.js) but didn't work... Link to comment Share on other sites More sharing options...
justsomeguy Posted November 30, 2011 Share Posted November 30, 2011 You don't need to parse that, it's already an object. The parse method turns a string into the object. You can use stringify if you want to turn the object into a string. If you're starting with an object then you don't need to do anything. JSON stands for JavaScript Object Notation, it is the native way to define objects in Javascript. The parse method is only used for turning a string representation of an object into an actual object. The reason people use JSON with ajax is because a language like PHP cannot return an actual object or array to Javascript, but it can return a string that Javascript can convert into an object. Link to comment Share on other sites More sharing options...
tinfanide Posted December 3, 2011 Author Share Posted December 3, 2011 How about using an external JSON file? {"students": [ {name: "Tin", ######: "Male", age: 20}, {name: "Valerie", ######: "Female", age: 16}, {name: "Valeriana", ######: "Female", age: 18},],"teachers": [ {name: "Tim", ######: "Male", age: 30}, {name: "Val", ######: "Female", age: 40}, {name: "Vivian", ######: "Female", age: 50},],"parents": [ {name: "Tiffany", ######: "Male", age: 60}, {name: "Viona", ######: "Female", age: 66}, {name: "Vivi", ######: "Female", age: 68},],} I think in the codes below the parts within "///////" are problematic.I managed to use var jsonData= eval("("+xmlhttp.responseText+")"); to get the data from the external JSON file.ButI'm afraid of the security issue with eval()SoI wanna change to some safer JSON methodslikestringify(),jsonParse(),parse() <div id="result"></div> /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////<script type="text/javascript" src="http://json-sans-eval.googlecode.com/files/json-minified.js"></script>/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////<script type="text/javascript"> function ajax(group,index,property){xmlhttp = (window.XMLHttpRequest) ? new XMLHttpRequest() : new ActiveXObject("Microsoft.XMLHTTP");xmlhttp.onreadystatechange = function(){ if(xmlhttp.readyState==4 && xmlhttp.status==200){ ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// var jsonData= jsonParse(xmlhttp.responseText);///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// if(group==""||index==""||property==""){ document.getElementById("result").innerHTML = "Please select a field."; } else { document.getElementById("result").innerHTML = jsonData[group][index][property]; } } }xmlhttp.open("GET","json.json",true);xmlhttp.send(null);} Link to comment Share on other sites More sharing options...
thescientist Posted December 3, 2011 Share Posted December 3, 2011 I think you're missing the point. If you already have an object, then you don't need to do anything to it. Those libraries are for when you only have a string representation of an object/array (i.e. data structure) that you need to turn into a legitimate data structure. Also, there are a couple of syntax errors with your external data structure; one is for the same reason we pointed out before, you have a trailing comma after your last array member. Also, I can't see what you are using as a key value after name, it just comes accross as ###### in your post. Depending on what that value is, you may need to enclose it in quotes. If you really want to use AJAX to get an external object, you should use PHP to json_encode a PHP array and then you can use one of these libraries that you are so intent on using, since it will come back as string, not an already well formed object like you are using. Link to comment Share on other sites More sharing options...
tinfanide Posted December 3, 2011 Author Share Posted December 3, 2011 <!DOCTYPE HTML><html><head> <title>Simple AJAX .JSON load example</title></head><body><input type="button" value="press" onclick="ajax()" /><div id="result"></div><script type="text/javascript">function ajax(){var xmlhttp = (window.XMLHttpRequest) ? new XMLHttpRequest() : new ActiveXObject("Microsoft.XMLHTTP");xmlhttp.onreadystatechange = function(){ if(this.readyState==4 && this.status==200){ var jsonData = JSON.parse(this.responseText); document.getElementById("result").innerHTML = jsonData.students.name; } }xmlhttp.open("GET","j.json");xmlhttp.send(null);}</script></body></html> j.json: {"students":{"name":"Winnie"}} I finally found out that I could use JSON.parse() and should keep the property in JSON within " "But in JS or JSON object it seems that the " " around the property is not a must // JSvar jsObj = { obj: "obj" }// JSON// Not completely sure{ obj: "obj" } Is it a must to use " " in JSON properties? Link to comment Share on other sites More sharing options...
justsomeguy Posted December 3, 2011 Share Posted December 3, 2011 Only if it's not a valid identifier name, like if it contains spaces or something. Link to comment Share on other sites More sharing options...
tinfanide Posted December 5, 2011 Author Share Posted December 5, 2011 And another question:What if I want to load the external JSON file to JS? (Like the example raised here)Is AJAX the only way to achieve such an effect?I can't do things like: <script type="text/javascript" src="json.json"></script> Link to comment Share on other sites More sharing options...
justsomeguy Posted December 5, 2011 Share Posted December 5, 2011 If the file is exactly what you showed, then you need to use ajax. If you want to include it in a script tag then it needs to actually do something, like assign the object to a variable. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.