发表新帖
发表新帖

Is it valid to define functions in JSON results?

后端 未结
关注
11 752
一向
一向 2020-11-22 11:38

Part of a website\'s JSON response had this (... added for context):

{..., now:function(){return(new Date).getTime()}, ...}

Is adding anony

相关标签:
11条回答
  • 再見小時候
    2020-11-22 11:56

    Via using NodeJS (commonJS syntax) I was able to get this type of functionality working, I originally had just a JSON structure inside some external JS file, but I wanted that structure to be more of a Class, with methods that could be decided at run time.

    The declaration of 'Executor' in myJSON is not required.

    var myJSON = {
    "Hello": "World",
    "Executor": ""
}

module.exports = {
    init: () => { return { ...myJSON, "Executor": (first, last) => { return first + last } } }
}
    0 讨论(0)
  • 情深已故
    2020-11-22 12:03

    It is not standard as far as I know. A quick look at http://json.org/ confirms this.

    0 讨论(0)
  • 攒了一身酷
    2020-11-22 12:03

    JSON explicitly excludes functions because it isn't meant to be a JavaScript-only data structure (despite the JS in the name).

    0 讨论(0)
  • 野性不改
    2020-11-22 12:08

    Let's quote one of the spec's - http://tools.ietf.org/html/rfc7159#section-12

    The The JavaScript Object Notation (JSON) Data Interchange Format Specification states:

    JSON is a subset of JavaScript but excludes assignment and invocation.

    Since JSON's syntax is borrowed from JavaScript, it is possible to use that language's "eval()" function to parse JSON texts. This generally constitutes an unacceptable security risk, since the text
    could contain executable code along with data declarations    . The same consideration applies to the use of eval()-like functions in any other programming language in which JSON texts conform to that
    language's syntax.

    So all answers which state, that functions are not part of the JSON standard are correct.

    The official answer is: No, it is not valid to define functions in JSON results!

    The answer could be yes, because "code is data" and "data is code". Even if JSON is used as a language independent data serialization format, a tunneling of "code" through other types will work.

    A JSON string might be used to pass a JS function to the client-side browser for execution.

    [{"data":[["1","2"],["3","4"]],"aFunction":"function(){return \"foo bar\";}"}]

    This leads to question's like: How to "Execute JavaScript code stored as a string".

    Be prepared, to raise your "eval() is evil" flag and stick your "do not tunnel functions through JSON" flag next to it.

    0 讨论(0)
  • 耶瑟儿~
    2020-11-22 12:09

    No.

    JSON is purely meant to be a data description language. As noted on http://www.json.org, it is a "lightweight data-interchange format." - not a programming language.

    Per http://en.wikipedia.org/wiki/JSON, the "basic types" supported are:

    • Number (integer, real, or floating point)
    • String (double-quoted Unicode with backslash escaping)
    • Boolean (true and false)
    • Array (an ordered sequence of values, comma-separated and enclosed in square brackets)
    • Object (collection of key:value pairs, comma-separated and enclosed in curly braces)
    • null
    0 讨论(0)
  • 耶瑟儿~
    2020-11-22 12:09

    Leave the quotes off...

    var a = {"b":function(){alert('hello world');} };

a.b();
    0 讨论(0)
 看不清?
提交回复
热议问题