Is JSON.parse() really safer than eval() when web page and ajax call come from same server?

Question

I get that JSON.parse() prevents an attacker from injecting javascript into the response since a JSON parser is just a text parser, not a script parser so please don\'t close th

Answer 1

That is a very good point. The only thing I can think of is that JSON.parse would have opportunity to be faster than eval.

A much less likely advantage is if the browser already has the HTML/JavaScript cached and the server uses Cache-Control to say that it does not need to reload. If that happens then of course a person intercepting would not have a chance to modify the page. But that is a very rare set of circumstances. Chances are, you are going to require the browser to check for a newer version of the HTML/JavaScript which is the default behavior.

As for the security difference, I think you are correct.

As for myself, I work with HTTPS confirmed systems only. But I have a function that uses JSON.parse if available and falls back on eval just for the speed improvement.