评估和演示是邪恶的...所以,我应该用什么呢? [英] Eval is evil... So what should I use instead?
问题描述
这是AJAX请求返回了我一个标准的JSON数组充满了我的用户的输入。输入已经被消毒,并使用eval()函数,我可以轻松地创建我的JavaScript对象和更新我的网页...
An ajax request returns me a standard JSON array filled with my user's inputs. The input has been sanitized, and using the eval() function, I can easily create my javascript object and update my page...
因此,这里的问题。不管我如何努力尝试消毒的投入,我宁愿不使用eval()函数。我检查了谷歌的方式使用JSON的AJAX无EVAL和已经跑翻过了一堆不同的方法......
So here's the problem. No matter how hard I try to sanitize the inputs, I'd rather not use the eval() function. I've checked google for ways to use "JSON in AJAX without eval" and have ran accross a bunch of different methods...
哪一个我应该使用?有没有一个标准,这样做的经过验证的,安全的方法是什么?
Which one should I use? Is there a standard, proven-secure way of doing this?
推荐答案
json.org有一个很好的 JavaScript库
json.org has a nice javascript library
简单的用法:
JSON.parse('[{"some":"json"}]');
JSON.stringify([{some:'json'}]);
修改:正如在评论中,这种使用eval如果你通过它的源代码(尽管它看起来是消毒第一)
Edit: As pointed out in comments, this uses eval if you look through its source (although it looks to be sanitized first)
要完全避免它,看看 json_parse 或的json-sans-eval
to avoid it completely, look at json_parse or json-sans-eval
json2.js是不安全的,json_parse.js缓慢,JSON-SANS-eval.js是非验证
json2.js is insecure, json_parse.js is slow, json-sans-eval.js is non-validating
这篇关于评估和演示是邪恶的...所以,我应该用什么呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!