Right now (jquery 1.2.6), the httpData function does this with JSON data: // Get the JavaScript object, if JSON is used. if ( type == "json" ) data = eval("(" + data + ")");
This is not very secure. It would be better to allow users to choose a JSON parser to use to parse the data into a json object. Now, I can easily override this method, but it is not listed as a public API method. I would prefer that, to prevent breaking myself, that this be split into a separate function: parseJSON: function (string) { return eval("(" + data + ")"); } then document this method as part of the API. now someone can switch this method to use a JSON parser instead (there are several parsers out there and at least one already written as a jq plugin)