[ACCEPTED]-JSON serializing an object with function parameter-javascriptserializer

Accepted answer
Score: 23

I was trying to accomplish something similar. In 8 my case I was using MVC Razor syntax trying 7 to generate a json object with a function 6 passed in using the @<text> syntax.

I 5 was able to get the desired output using 4 the Json.net library (using JsonConvert 3 and JRaw).


// set the property value using JRaw
var obj = new {
    username = "andrey",
    callback = new JRaw("function(self) { return function() {self.doSomething()} (this) }")
// and then serialize using the JsonConvert class
var jsonObj = JsonConvert.SerializeObject(obj);

That should get you the 2 json object with the function (instead of 1 the function in a string).

Post: How to serialize a function to json (using razor @<text>)

Score: 7

This behavior is deliberate. JSON should 27 not include anything that is not data -- in 26 your case an executable function. The browser 25 will be opening up to huge security risks 24 if data can come back from a server in JSON 23 format that, when executed, will run arbitrary 22 functions (that can steal info, redirect 21 the user to a malicious site etc.)

Early 20 implementations of JSON rely on the fact 19 that data returned back can be simply executed 18 via eval() to get back an object. However, people 17 almost immediately realized that this opens up huge 16 security risks and have been trying to handle 15 it since. That's why, before the standardized 14 JSON object, people stopped putting raw 13 JSON data into eval() and used JSON parsing 12 libraries instead.

The JSON object will always 11 serialize an object into data only. This 10 is by design. THe standardized JSON format 9 has no way to represent an executable function.

Now, you 8 can easily convert that callback on a browser 7 into a function by passing it through to 6 eval(). However, don't do it. You're just opening 5 yourself up for hacking.

On the server side, modern 4 browsers are designed to prevent this exact 3 thing from happening -- i.e. data being 2 sent from a browser that contains an executable 1 function.

Score: 0

You can make use of the constructor of the 9 Function object. See https://developer.mozilla.org/nl/docs/Web/JavaScript/Reference/Global_Objects/Function.

In your json you set 8 the callback property to a string array 7 that describes the Function constructor 6 parameters. Then when the json data has 5 arrived on the client you have to convert 4 the Array to an instance of the Function 3 object.

This way you can have the function 2 implementation details in your back database 1 instead of hardcoded in source code.

const json = '{"username":"andrey","callback":["self","return self.doSomething()"]}';

//Parse the json to an object
const object = JSON.parse(json);

//Convert the callback property from Array to Function
object["callback"] = new Function(...object["callback"]);

//Create a parameter for calling the Function
var self = {
    doSomething() {
        console.log("Do something called");

//Call the function

More Related questions