
Loading JSON with JavaScript using eval... wait Google, what? - redox_
https://developers.google.com/gdata/docs/json#Request
======
lstamour
I bet the article was one of the first to cover JSON and was only updated two
years ago to the new stylesheet.

~~~
magicalist
Yeah, it says updated in 2012, but if you go to the articles section, for
instance, they're all 5-7 years old.

Though it's poor form even back then that they'd link to JSON.org (which has
the JSON library which we all used before native browser support) and then not
use it in the actual sample code.

~~~
lstamour
Google was all about efficiency. In the early days, as with JSONP, the point
was to eval the stuff. In some ways, it was a step back. Had we pushed for
more E4X implementations we might have sent HTML over the wire instead, and
would have avoided JS-based template languages, the overhead of converting
JSON to at least one representation of HTML, etc.

------
jamesrom
Google feel confident enough that they wont be returning malicious JavaScript.

Obviously, you should use JSON.parse in 99.99% of cases, but if you can trust
the source of the content (not as easy as it sounds), and you have no other
alternative, eval wont cause any security problems.

------
magnetikonline
Well supported: [http://caniuse.com/json](http://caniuse.com/json)

Use JSON.stringify() and JSON.parse() - only gives issues in IE8 with an
incorrect doctype (go figure?!?!).

------
gengkev
just a question - is this any worse than the "JSON-in-script" output method?

~~~
kolodny
Significantly worse. Using the jsonp[1] format is passing a regular javascript
object to a global function

[1] [http://en.wikipedia.org/wiki/JSONP](http://en.wikipedia.org/wiki/JSONP)

~~~
bickfordb
It seems that if the attacker controls the source URL, he could eval anything
he wanted in any either case?

~~~
kolodny
While that's true in this case, it's considered a bad practice to eval json to
get a javascript object. Most browsers (all modern ones) have a JSON.parse
method that will safely evaluate all json strings to js object. The really old
browsers have libraries to accomplish this.

It seems that this article hasn't been updated in a while by the very fact
that the next section is called "JSON-in-script output" and not jsonp, keep in
mind this article even has a reference to json.org on the bottom of that page
which includes a library to do said function

