- From: Adam Connors <adamconnors@google.com>
- Date: Tue, 19 May 2009 12:44:59 +0100
- To: Mobile Web Best Practices Working Group WG <public-bpwg@w3.org>
Received on Tuesday, 19 May 2009 11:45:37 UTC
There is a BP in the MWABP which states you shouldn't directly eval() JSON data but should use a JSON parser instead for security reasons... We came to this point after a number of more nuanced iterations. However, feedback from a colleague in the office who did some benchmarking suggests that JSON parsing is approx. * 10 slower than direct eval(). So... I don't think we can really make a BP that would require an app to run * 10 slower than it has to... I propose: * Would somebody please volunteer to verify this figure and see if it is still true. It was true on iPhone 1 and the gap may have narrowed in 2.x, Android, or other platforms... * If the gap has narrowed we should keep things as they are and offer some comment on relative performance eval vs json parsing. * If the gap hasn't closed I propose that we change this BP to state that the preferred option is to use eval() but only on trusted data (either you know it came from your server or you have escaped any user generated content). And include a rationale based around the performance of json parsers on mobile devices. Thoughts ? Thanks, Adam.
Received on Tuesday, 19 May 2009 11:45:37 UTC