W3C home > Mailing lists > Public > public-bpwg@w3.org > May 2009

Re: MWABP for discussion: JSON parsing vs eval benchmarking.

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Tue, 19 May 2009 13:55:59 +0200
To: Adam Connors <adamconnors@google.com>
Cc: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>
Message-Id: <1242734159.4263.1965.camel@localhost>
Le mardi 19 mai 2009 à 12:44 +0100, Adam Connors a écrit :
> * If the gap hasn't closed I propose that we change this BP to state
> that the preferred option is to use eval() but only on trusted data
> (either you know it came from your server or you have escaped any user
> generated content).

I think I would at least phrase it the other way around (i.e. the
preferred option is JSON parsing, but you can get performance gains with
eval() on some platforms if you're dealing with really trusted data),
but even that sounds a bit scary to me.
http://log.does-not-exist.org/archives/2007/12/03/2155_json_eval_owning_the_dashboard.html comes to my mind for instance...

["really trusted data" would mean data transfered over https, with full
assurance that everything has been properly escaped, which is so easy to
get wrong that making it a best practice seems really difficult to me]

Dom
Received on Tuesday, 19 May 2009 11:56:26 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:43:00 UTC