Pseudo-JSON with unquoted property names

Mark S. Miller erights at google.com
Fri Jun 5 17:31:09 PDT 2009


On Fri, Jun 5, 2009 at 5:07 PM, Brendan Eich <brendan at mozilla.org> wrote:

>
> Do Doug and Mark share your risk-of-perpetuating-eval analysis?
>

I think the logic of David-Sarah's argument is sound, but I do not agree
with the conclusions. The security of those who do switch to the new JSON
api is unaffected by the continued use of eval by others. Given the sparsity
of examples found so far, I'd guess that most of those who continue to use
eval for the reasons David-Sarah mentions will continue to use eval even if
we change JSON to operate as he suggests. There's really not much we can do
to improve the security of code that isn't maintained.

-- 
   Cheers,
   --MarkM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es5-discuss/attachments/20090605/8297a5f1/attachment.html>


More information about the es5-discuss mailing list