execute a javascript code inside a json object?

Question

is there away?

so something like:

{ key1 : "val1", key2: "val2", some_code: "document.getElementById("someid").innerHTML='test';" }

So some_code would be executed without any user intervention?

As below, yes you could. However, it's best avoided. If you're providing this to a 3rd party is should get blocked. — Iain Ballard
– Iain Ballard, Commented Jan 31, 2011 at 10:44

Marcelo Cantos · Accepted Answer · 2011-01-31 13:24:01Z

4

No.

First of all, your example isn't valid JSON. Try it out at JSON validator.

Second of all, JSON is a data exchange standard and when properly parsed, any text that inside of it that is some code will not be executed.

Read on JSON security issues.

Rule of thumb: don't use JavaScript eval function, rather use a ready made parser such as Douglas Crockford's JSON evaluator.

edited Jan 31, 2011 at 13:24

Marcelo Cantos

187k40 gold badges338 silver badges366 bronze badges

answered Jan 31, 2011 at 10:44

darioo

47.4k10 gold badges79 silver badges104 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

David Ang Over a year ago

okay thanks guys - i think id probaly stick to that - json as data and no possible way to "self execute" a json object.

Arnaud Le Blanc · Accepted Answer · 2011-01-31 10:42:27Z

3

This would not be JSON anymore. But you can post-process the parsed JSON:

json.some_code = eval(json.some_code);

However this may be dangerous (script injection, etc).

So, if you can, do this instead:

json = { key1 : "val1", key2: "val2", elem: "someid", html:"test" };
document.getElementById(json.elem).innerHTML=json.html;

answered Jan 31, 2011 at 10:42

Arnaud Le Blanc

100k24 gold badges211 silver badges196 bronze badges

Comments

Marcelo Cantos · Accepted Answer · 2011-01-31 10:43:46Z

2

Well, first you need to escape the double-quotes:

{ key1 : "val1", key2: "val2", some_code: "document.getElementById(\"someid\").innerHTML='test';" }

(Or use single-quotes.)

If you want to evaluate the some_code field as a script, it's as simple as passing it to eval:

eval(obj.some_code);

This is, of course, very hazardous unless you have absolute control over the contents of some_code.

answered Jan 31, 2011 at 10:43

Marcelo Cantos

187k40 gold badges338 silver badges366 bronze badges

Comments

Tom van der Woerdt · Accepted Answer · 2011-01-31 10:41:54Z

1

It is possible to do that, yes, for example by doing this :

{
  "functionName": function() {
    alert('Hello!');
  }()
}

However, that would not be valid JSON anymore. JSON does not accept functions.

answered Jan 31, 2011 at 10:41

Tom van der Woerdt

30.1k7 gold badges76 silver badges105 bronze badges

1 Comment

David Ang Over a year ago

hmm - a little difficult to construct and pass that structure from a backend server to the client browser eh?

Collectives™ on Stack Overflow

execute a javascript code inside a json object?

4 Answers 4

1 Comment

Comments

Comments

1 Comment

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

1 Comment

Comments

Comments

1 Comment

Your Answer

Sign up or log in

Post as a guest

Linked

Related