Re: JSON Formatted String

What you do not want to do is to eval it, i.e. “just to see if it works.” Many a website has been zapped by a maliciously-formed JSON string.

Replies are listed 'Best First'.
Re^2: JSON Formatted String by Anonyrnous Monk (Hermit) on Jan 12, 2011 at 15:09 UTC
Many a website has been zapped... Could you elaborate? "Zapping" a web site would normally happen on the server, but how (or why) would you "eval" a JSON string server-side? As JSON is JavaScript, it can only be directly eval-ed by a JS interpreter. Sure you could run a JS interpreter server-side, but more typically, JS is used for client-side code, where eval-ing a malicious JSON string would unlikely have the effect of zapping the site... (at least it ought not be able to, as you can't really control what people do client-side anyway).	[reply]

Replies are listed 'Best First'.

Re^2: JSON Formatted String
by Anonyrnous Monk (Hermit) on Jan 12, 2011 at 15:09 UTC

Many a website has been zapped...

Could you elaborate? "Zapping" a web site would normally happen on the server, but how (or why) would you "eval" a JSON string server-side? As JSON is JavaScript, it can only be directly eval-ed by a JS interpreter. Sure you could run a JS interpreter server-side, but more typically, JS is used for client-side code, where eval-ing a malicious JSON string would unlikely have the effect of zapping the site... (at least it ought not be able to, as you can't really control what people do client-side anyway).

[reply]