HTML and CSS Reference
In-Depth Information
Figure 18.20 After reading and parsing data from a JSON file.
Solving the eval() Security Problem
Using the JavaScript eval() function to parse Ajax data is not recommended as a secure
approach for handling data coming from an Ajax request as it makes the program vul-
nerable to cross-site scripting (XSS). There are a number of sites that deal specifically
with this issue 4 (see ). If your browser supports
native JSON, you can use the JSON parse() method to take the place of eval() . If the
browser doesn't support native JSON, there are public domain libraries available that are
easy to download and use with no fuss.
Example 18.22 is a simple test to see if your browser supports JSON. This script was
executed using Firefox 3.5.7 and Internet Explorer 8.0. Firefox ran the script without a
problem (see Figure 18.21), whereas Internet Explorer produced an error that it didn't
recognize “JSON” (see Figure 18.22). The problem was easy to solve by downloading
the json2 library and including it in the script, see Example 18.23 .
<script type="text/javascript">
// Testing native JSON support Firefox
var jsonString = '{"name":"Joe Shmoe", "phone":"415-111-1111"}';
var employee=JSON.parse(jsonString);
alert("Name: " + +"\nPhone: "+;
4. “The eval technique is subject to security vulnerabilities if the data and the entire JavaScript environment
is not within the control of a single trusted source. If the data is itself not trusted, for example, it may be
subject to malicious JavaScript code injection attacks; unless some additional means is used to validate
the data first.”—
Search WWH ::

Custom Search