Acidus wrote:
new Ajax.Request('?url=backend',{onSuccess:responseHandler});
var responseHandler = function(t) { json = eval(t.getResponseHeader('X-JSON'));
eval() is the WORST thing you can ever do in JavaScript and people who process JSON with eval() should be punched in the face.
Quoting from the great Douglas Crockford:
However, [eval()] can compile and execute any JavaScript program, so there can be security issues. The use of eval is indicated when the source is trusted. This is commonly the case in web applications when a web server is providing both the base page and the JSON data. There are cases where the source is not trusted. In particular, clients should never be trusted.
When security is a concern it is better to use a JSON parser. A JSON parser will only recognize JSON text and so is much safer:
Ducks.
