Is JSON.parse() really safer than eval() when web page and ajax call come from same server?

Question

I get that JSON.parse() prevents an attacker from injecting javascript into the response since a JSON parser is just a text parser, not a script parser so please don\'t close th

Answer 1

Well... I'm not advocating the usage of eval, but I don't think it constitutes a security issue in Javascript, because Javascript is client-side language. If you don't use eval in your code, what prevents me from running javascript:my_own_evil_code() in console or address bar? It is Javascript, I can run my own code or modify yours, create my own HTTP requests and do anything with HTTP responses, or even add my own eval to your functions.

You shouldn't use eval if there is another comparable solution available, but if you, just for simplicity, want to do eval('('+jsonstring+')') to emulate JSON.parse, I don't think it is a big mistake.