22

In my angularjs apps, I usually parse a JSON string by using angular.fromJson, like so:

var myObject=angular.fromJSON(jsonString);

However, it seems that I would obtain the same result by using $scope.$eval:

var myObject=$scope.$eval(jsonString);

See this fiddle

Or by using vanilla javaScript, like so:

var myObject=JSON.parse(jsonString);

  • Is there any particular reason to use angular.fromJSON rather than JSON.parse?

  • Is there any possible issue when using $scope.$eval to parse a JSON string?

Improve this question

2 Answers 2

Reset to default
33

Check out the source code:

function fromJson(json) {
  return isString(json)
      ? JSON.parse(json)
      : json;
}

They're just passing through to JSON.parse.

As for $eval it shells out to $parse:

  // $scope.$eval source:
  $eval: function(expr, locals) {
    return $parse(expr)(this, locals);
  },

$parse source is too long to post, but it is essentially capable of converting inline (stringified) objects to real Objects and so it makes sense that in this case, it will actually convert your JSON as well.

(I did not know this until reading through the $parse source just now.)

Is there any particular reason to use angular.fromJSON rather than JSON.parse?

Nope, not really. Although they do check to you to ensure that you don't double-parse a JSON string, like so:

var jsonString = '{"foo":"bar"}';
var json = JSON.parse(jsonString); // Parsing once is good :)
JSON.parse(json); // Parsing twice is bad :(

Is there any possible issue when using $scope.$eval to parse a JSON string?

I don't think so off the top of my head, other than that you're doing more work than is necessary. So if you know you have JSON, there's no reason to use the heavier $parse function.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Yet there are some (slight) differences in performance jsperf.com/json-parse-v-angular-fromjson
$scope.$eval is for evaluating JavaScript expressions. If you try to eval JSON you'll get an error.
It seems to eval json and return an object: please check the fiddle I provided
@brianvaughn, thank you for taking an interest in this post. You are showing effort, and I would like to accept your answer :) however, you have not really answered yet the questions at the end at the post, which are: Is there any particular reason to use angular.fromJSON rather than JSON.parse? Is there any possible issue when using $scope.$eval to parse a JSON string?
Sorry, I thought that answer was implicit. I'll update my response once more. ;)
5

The above answer is almost correct. However, there is a potential issue with using $scope.$eval() to parse a JSON string, which does not exist with either JSON.parse() or angular.fromJson(): security. Angular allows an expression to contain complex JavaScript including function calls, conditionals with ?:, variable assignments, and so on. All of these are recognised and processed if you use $scope.$eval(), even if they were added by a malicious end-user.

JSON does not support any of those more complex JavaScript features, nor anything else potentially "dangerous". If you use a true JSON parser like JSON.parse() or angular.fromJson(), there is no chance of malicious code being injected and executed.

Since Angular expressions are isolated and evaluate only in the current $scope, the risk of code injection is somewhat mitigated - $scope.$eval() is far less dangerous than JavaScript's native eval() for parsing JSON. However there is still no reason to use either function for this purpose, since there is a potential security risk and using a proper JSON parser is likely to be faster.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.