10000 README: Replace deserialize eval with JSON.parse (#38) · yahoo/serialize-javascript@85b0435 · GitHub
[go: up one dir, main page]
Skip to content

Commit 85b0435

Browse files
unlobitounlobito
authored
README: Replace deserialize eval with JSON.parse (#38)
This updates README.md to suggest using [JSON.parse](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse) instead of eval to address security concerns.
1 parent ac79a5a commit 85b0435

File tree

1 file changed

+1
-9
lines changed

1 file changed

+1
-9
lines changed

README.md

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -117,15 +117,7 @@ serialize(obj, {ignoreFunction: true});
117117

118118
## Deserializing
119119

120-
For some use cases you might also need to deserialize the string. This is explicitly not part of this module. However, you can easily write it yourself:
121-
122-
```js
123-
function deserialize(serializedJavascript){
124-
return eval('(' + serializedJavascript + ')');
125-
}
126-
```
127-
128-
**Note:** Don't forget the parentheses around the serialized javascript, as the opening bracket `{` will be considered to be the start of a body.
120+
For some use cases you might also need to deserialize the string. Modern browsers support using [JSON.parse](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/parse) to deserialize JSON, which protects against malicious scripts being executed through malformed JSON.
129121

130122
## License
131123

0 commit comments

Comments
 (0)
0