Json+ajax

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • dmjpro
    Top Contributor
    • Jan 2007
    • 2476
    #1

    Json+ajax

    Recently I came to know that ..... it's better to to generate some JSON instead of plain HTML when i am calling AJAX.
    But today i read that the usage of eval is dangerous while i processing the AJAX JSON response suing eval.
    I could not get the point ....Could you please explain me!
    Tags: None
    • acoder
      Recognized Expert MVP
      • Nov 2006
      • 16032
      #2
      It's dangerous when the server doesn't validate properly and delivers invalid JSON. You could use a JSON parser instead of eval. See this link for more information.

        Comment

        • rnd me
          Recognized Expert Contributor
          • Jun 2007
          • 427
          #3
          actually, there is little danger in evalin'g json from ajax.

          ajax only works on your site, which presumably you control, and thus it will never spit out malicious code as long as you scrub any user-generated content.


          the danger is when fetching third-party data in json from external sites that you DO NOT control. you are up to the mercy of the data source as to the safety of the code.

          personally,
          i think this issue is largely theoretical and over-hyped. most json apis are run by reputable sites like digg, flickr, and delicious. i don't see them enterprising to hacking anytime soon.

            Comment

            • dmjpro
              Top Contributor
              • Jan 2007
              • 2476
              #4
              Originally posted by acoder
              It's dangerous when the server doesn't validate properly and delivers invalid JSON. You could use a JSON parser instead of eval. See this link for more information.
              Invalid JSON means what?
              Could i know that?

                Comment

                • acoder
                  Recognized Expert MVP
                  • Nov 2006
                  • 16032
                  #5
                  Originally posted by rnd me
                  actually, there is little danger in evalin'g json from ajax.

                  ajax only works on your site, which presumably you control, and thus it will never spit out malicious code as long as you scrub any user-generated content.
                  unless you happen to be using a web proxy.

                  Originally posted by rnd me
                  the danger is when fetching third-party data in json from external sites that you DO NOT control. you are up to the mercy of the data source as to the safety of the code.

                  personally,
                  i think this issue is largely theoretical and over-hyped. most json apis are run by reputable sites like digg, flickr, and delicious. i don't see them enterprising to hacking anytime soon.
                  You're probably correct, but it's always better to be safe than sorry.

                    Comment

                    • acoder
                      Recognized Expert MVP
                      • Nov 2006
                      • 16032
                      #6
                      Originally posted by dmjpro
                      Invalid JSON means what?
                      Could i know that?
                      It can't be parsed properly and doesn't follow the syntax as described here. As rnd me mentioned though, this could be theoretical, but I wouldn't take any chances.

                        Comment

                        Previous template Next
                        Working...