That's an interesting point, and certainly sounds like a good idea.
I have to wonder, though, what's the actual security risk? If you're running
this bit of code, then by definition you're getting the JSON data from your
own domain. So presumably you have control over the data that you're
receiving?
If you're doing cross-domain JSON, then you are using JSONP, and the
downloaded data *will* be eval'ed. There's no way around that; it's how
cross-domain JSONP works - it has to be executable JavaScript so that it can
be loaded with a dynamic script element instead of XMLHttpRequest.
I've probably missed something obvious, so please bring me up to date. :-) I
just wanted to point out that there's no way to substitute a more secure
parser in the cross-domain JSONP case.
For the same-domain case, if you want a more secure parser with the existing
jQuery code, simply specify the data type as text instead of json. Then you
can parse the JSON text with your choice of parser.
-Mike
> From: Andrew
>
> Right now (jquery 1.2.6), the httpData function does this with JSON
> data:
>
> // Get the JavaScript object, if JSON is used.
> if ( type == "json" )
> data = eval("(" + data + ")");
>
> This is not very secure. It would be better to allow users to
> choose a JSON parser to use to parse the data into a json
> object. Now, I can easily override this method, but it is not
> listed as a public API method. I would prefer that, to
> prevent breaking myself, that this be split into a separate function:
>
> parseJSON: function (string)
> {
> return eval("(" + data + ")");
> }
>
> then document this method as part of the API. now someone can
> switch this method to use a JSON parser instead (there are
> several parsers out there and at least one already written as
> a jq plugin)
