If you are trying to send JavaScript via AJAX that's not JSON. JSON is about data only (see: http://json.org/), and that's exactly what makes secureEvalJSON() secure. This function checks that there is nothing else in your JSON except data, especially no JavaScript commands. QUOTE: "secureEvalJSON: Converts from JSON to Javascript, but does so while checking to see if the source is actually JSON, and not with other Javascript statements thrown in."
If your question is: How secure is it to transfer JavaScript via AJAX? Then the answer depends on how secure is your channel, how confident are you that the data are really from the expected source and how much do you trust your source. For the first shot I would say, that it is insecure by default. However it depends on your application. Most web pages are loaded over an insecure channel and from an unidentified source, and we live quite well with it - as long as it's not my net banking page or an online shop. But from your example, I guess you are talking exactly about an online shop - than you could use https, this would eliminate the network questions, at least. by(e) Stephan 2009/1/29 Trend-King <i...@trend-king.de>: > > ok thats right but $.ajax() also do that so my problem is how safe it > is to pass <script></script> through JSON and the append it to the DOM > and it will be executed > > On 29 Jan., 15:13, jQuery Lover <ilovejqu...@gmail.com> wrote: >> Reading the plugin homepage it does not. It only encodes and decodes >> JSON or am I missing anything? >> >> ---- >> Read jQuery HowTo Resource - http://jquery-howto.blogspot.com >> >> >> >> On Thu, Jan 29, 2009 at 6:57 PM, Trend-King <i...@trend-king.de> wrote: >> >> > ok and thats safe for things like a sting $("#cart_info").fadeIn >> > (500);setTimeout(function(){$("#cart_info").fadeOut(500)},2000); >> > getted from JSON? >> >> > On 29 Jan., 14:51, Stephan Veigl <stephan.ve...@gmail.com> wrote: >> >> hi, >> >> >> check out the secureEvalJSON() method of the json >> >> plugin.http://code.google.com/p/jquery-json/ >> >> >> by(e) >> >> Stephan >> >> >> 2009/1/29 Trend-King <i...@trend-king.de>: >> >> >> > Hi there another question from my, how save is it eval() data getting >> >> > via JSON $.ajax() call >> >> >> > i want to get javascript data to be executed after JSON $.ajax() call. >> >> >> > or is there another way to do that?- Zitierten Text ausblenden - >> >> >> - Zitierten Text anzeigen -- Zitierten Text ausblenden - >> >> - Zitierten Text anzeigen -
