All geek questions in one place

Does JSON.parse () use the internal function eval ()?

Does JSON.parse in modern browsers use eval() internally to evaluate and execute dynamic code?

Because I was browsing the Douglas Crockford JSON library. It also uses eval() when using parse (), but after preprocessing until the actual evaluation. For instance: -

  • Sticker on Unicode characters in code.
  • The code shows a malicious intent.

Do modern browsers that support JSON.parse use this, or do they follow other protocols?

+6
source share
2 answers

No, JSON.parse() does not use eval()

This is by design, since eval() can execute any arbitrary JavaScript code that you feed it, it can execute those things that you do not need. So JSON.parse() does what it says about the gesture: it actually parses the entire string and reconstructs the whole tree of objects.

JSON.parse usually delegated to an internal function implemented with "native" code, where "native" means everything that is considered "native" in the context of your javascript engine browser (machine code may be compiled, there may be bytecode for VM, etc. d.). I do not think there is any strong demand.

Differences in implementations?

JSON (designation itself) is encoded by RFC4627 .

Regarding the implementation of the JSON object and its methods, all modern modern browsers should behave the same, as they must follow the same specifications for the ECMAScript 5 JSON object . However, there is always the possibility of potential defects. For example, V8 originally contained this nasty bug .

Also, note that the implementation listed in the comments above is intended to add JSON.parse() support for browsers that don't support it natively (also called "these damn old browsers that you sometimes need to support"). But this does not mean that it is necessary how they implemented it.

For example, for the Google V8 implementation used in Chrome, see json.js , which calls native code from json_parser.h .

+9
source

It would be very funny if you think about it.

To see why, look if this analogy helps: you travel with your boss to a country where you speak this language, but she does not. Since you are fluent, you will fulfill two roles: both her assistant (performing tasks for her) and her translator (telling her what this means).

So, you have these two works that complement each other. Your boss can tell you to do something - in any language you understand (say, in English), and also ask you to tell her that something says like a sign or a document. She could have done both: send you a set of instructions written in that other language and say: β€œIt was passed on to me by someone I trust. Please do whatever is said here.”

In this analogy, reading characters or documents to your boss is like JSON.parse . Your boss gives you instructions and tells you to do whatever they say like eval .

If JavaScript engines used eval internally for JSON.parse , this would be similar to your boss asking you what the document says and you decide to release everything written in the document to explain it to her. Instead of just reading it.

-1
source

Source: https://habr.com/ru/post/946951/

More articles:


All Articles