Categories
javascript json parsing

Safely turning a JSON string into an object

1451

Given a string of JSON data, how can I safely turn that string into a JavaScript object?

Obviously I can do this unsafely with something like:

var obj = eval("(" + json + ')');

but that leaves me vulnerable to the JSON string containing other code, which it seems very dangerous to simply eval.

5

  • 84

    In most languages eval carries an additional risk. Eval leaves an open door to be exploited by hackers. HOWEVER, remember that all javascript runs on the client. EXPECT that it will be changed by hackers. They can EVAL anything they want, just by using the console. You must build your protection on the server side.

    Feb 7, 2013 at 17:34


  • 22

    Ok, now it is 2014 and you should never use eval in order to parse a JSON string because you would be exposing your code to “code injection”. Use JSON.parse(yourString) instead.

    – Daniel

    Oct 22, 2014 at 6:27


  • 1

    Is the JSON data a literal ?

    – shanechiu

    Sep 25, 2017 at 10:02

  • 1

    @shanechiu: if you mean a scalar data type, yes it is. Is just a string with a key-value syntax in it.

    – 0zkr PM

    Sep 17, 2018 at 18:09

  • 1

    See the documentation on the parse() method: w3schools.com/js/js_json_parse.asp

    – Ale Gu

    Jul 17, 2020 at 20:56


2082

JSON.parse(jsonString) is a pure JavaScript approach so long as you can guarantee a reasonably modern browser.

12

  • 76

    I’m pretty sure it’s safe for Node.js

    – Stephen

    Oct 18, 2011 at 17:07

  • 2

    It isn’t supported in all browsers, but the script at the link below adds it to browsers that don’t have it: github.com/douglascrockford/JSON-js/blob/master/json2.js

    Jan 12, 2013 at 5:53


  • 5

    Pretty safe to use.

    – Redsandro

    Oct 8, 2013 at 11:52


  • 13

    If you are doing NodeJS, there is no way I would load up jQuery just to parse a jsonString into a JSON object. So upvote Jonathan’s answer

    – Antony

    Oct 15, 2013 at 16:49

  • 6

    According to this link it is supported by IE8+, although it says: Requires document to be in IE8+ standards mode to work in IE8.

    Jan 12, 2015 at 21:19


893

The jQuery method is now deprecated. Use this method instead:

let jsonObject = JSON.parse(jsonString);

Original answer using deprecated jQuery functionality:

If you’re using jQuery just use:

jQuery.parseJSON( jsonString );

It’s exactly what you’re looking for (see the jQuery documentation).

3

  • 8

    Is there a reason to use this over JSON.parse()?

    – Jon

    Mar 20, 2016 at 2:02


  • 9

    jQuery.parseJSON defaults to using JSON.parse if it exists, so the only reason to use this over the real one is if you need a fallback for <IE7. It was changed way back in jQuery 1.6: james.padolsey.com/jquery/#v=1.6.0&fn=jQuery.parseJSON

    Apr 5, 2016 at 20:49

  • 12

    2016 update: As of jQuery 3.0, $.parseJSON is deprecated and you should use the native JSON.parse method instead.

    – jkdev

    Jun 28, 2016 at 22:36


165

This answer is for IE < 7, for modern browsers check Jonathan’s answer above.

This answer is outdated and Jonathan’s answer above (JSON.parse(jsonString)) is now the best answer.

JSON.org has JSON parsers for many languages including four different ones for JavaScript. I believe most people would consider json2.js their goto implementation.

3

  • 28

    I wish people would stop down-voting this answer. It was accurate when it was posted in 2008. Just upvote the new one.

    – John

    Jan 16, 2015 at 2:26

  • 23

    If the answer is now outdated, consider updating it.

    Mar 7, 2015 at 5:35

  • 3

    for IE < 8 you need to use this.

    Jul 16, 2015 at 20:22