Parse JSON string without JSON.parse and eval()

#json #javascript


    var jsonStr="{name:'abc',age:20}";
    var jsonObject = (new Function( "return " + jsonStr ) )() ;
    console.log(jsonObject);

Top comments (4)

Fabian Holzer • Jul 14 '18

JSON.parse would yield a syntax error in this example, because jsonStr is not acutally JSON, since JSON requires double quotes for string, and requires the keys to be in string form as well.

But what is much more grave, this function is prone to script injection.

let jsonObject = 
  (letsHopeItsJson) => ((new Function( "return " + letsHopeItsJson) )())

let iffe = "(function(){alert('script injection')})()";

console.log(jsonObject(iffe));

Sandeep kamboj • Jul 14 '18

yes. this code is also used for script injection.

I have checked jquery parseJSON method in jquery library in 1.x version. It also uses this technique to parse json..

Fabian Holzer • Jul 14 '18 • Edited

Just to be perfectly clear: script injection is not a feature, it is a security vurnerabilty. And that jQuery, in an apparently rather old version, did this in its days, is no excuse to repeat the mistake in 2018.

Glauber Funez • Nov 8 '19

right and what would be the best way to do that since JSON.parse doesn't work because it has a function?
I ask that because I have a very similar scenario.

DEV Community

Parse JSON string without JSON.parse and eval()

Top comments (4)

Read next

Building a Free Online Music Creator: Free Incredibox Sprunki

Create a Dynamic Code Playground with SandPack + React!

Streamlining API Calls in Angular v18 with TanStack Angular Query

Simplifying Excel Table Parsing in Node.js with @libs-jd/xlsx-parse-table