在 JSON 中使用高级构造(函数、new、函数调用)安全吗?
JSON 是将复杂数据从服务器端代码传递到客户端 JavaScript 的好方法。例如,在 PHP 中我可以这样写:
<script type="text/javascript>
var MyComplexVariable = <?= BigFancyObjectGraph.GetJSON() ?>;
DoMagic(MyComplexVariable);
</script>
这非常酷,但有时您想要传递的不仅仅是基本日期,例如日期甚至函数定义。还有一种简单直接的方法可以做到这一点,例如:
<script type="text/javascript>
var MyComplexVariable = {
'SimpleProperty' : 42,
'FunctionProperty' : function()
{
return 6*7;
},
'DateProperty' : new Date(989539200000),
'ArbitraryProperty' : GetTheMeaningOfLifeUniverseAndEverything()
};
DoMagic(MyComplexVariable);
</script>
这在我迄今为止见过的所有浏览器上都很有效。但根据 JSON.org 这样的语法是无效的。另一方面,我已经看到这种语法被用在很多地方,包括一些流行的 JavaScript 框架。那么...
如果我使用上述“不受支持”的 JSON 功能,我会遇到任何问题吗?为什么它是错误的?
添加说明: 如果我预计我的 JSON 会被某些未知的第 3 方软件,甚至不是浏览器的已知解析器使用,那么这样的外来物确实很可能不起作用,我不会尝试嵌入它们。但我对 JSON 代码直接编写在由 Internet 浏览器执行的 JavaScript 代码块内的情况感兴趣。就像上面的例子一样。
JSON is a nice way to pass complex data from my server side code to client side JavaScript. For example, in PHP I can write:
<script type="text/javascript>
var MyComplexVariable = <?= BigFancyObjectGraph.GetJSON() ?>;
DoMagic(MyComplexVariable);
</script>
This is pretty cool, but sometimes you want to pass more than basic date, like dates or even function definitions. There is a simple and straightforward way of doing it too, like:
<script type="text/javascript>
var MyComplexVariable = {
'SimpleProperty' : 42,
'FunctionProperty' : function()
{
return 6*7;
},
'DateProperty' : new Date(989539200000),
'ArbitraryProperty' : GetTheMeaningOfLifeUniverseAndEverything()
};
DoMagic(MyComplexVariable);
</script>
And this works like a charm on all browsers I've seen so far. But according to JSON.org such syntax is invalid. On the other hand, I've seen this syntax being used in very many places, including some popular JavaScript frameworks. So...
Can I expect any problems if I use "unsupported" JSON features like the above? Why is it wrong or not?
Added clarification: If I expected my JSON to be consumed by some unknown 3rd party software, or even a known parser which was not a browser, then such exotics would indeed most likely not work and I would not attempt to embed them. But I'm interested in the case where the JSON code is written directly inside a JavaScript code block that is executed by an Internet browser. Like the examples above.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
根据 JSON.org,JSON 对象仅支持对象的以下值成员:
(来源:json.org)
由于这些都不是函数,我建议不要使用它,因为正如您所说,规范中并未正式支持它。
此外,当非 Javascript 客户端(例如 Python 程序)尝试使用您的 JSON 时会发生什么?它将如何运行你的 JavaScript 代码?
According to JSON.org, a JSON object only supports the following value members of an object:
(source: json.org)
Since none of these is a function, I would suggest not using it since, as you said, it is not officially supported in the spec.
Besides, what happens when a non-Javascript client (such as a Python program) tries to consume your JSON? How is it going to run your JavaScript code?