But our discussion had a part that won’t make it into the book (O’Reilly’s editors are pretty strict), but can be shared with you in this blog. Protecting your application’s fragile body from being infected by means of eval() can and should be done outside of your application code by using HTTPS protocol and eliminating the cross-origin scripting by routing all requests to third-party data sources via proxying such requests through your own hosts. If the previous statement seems to be to complicated for understanding, I’ll give you another explanation that any adult software developer will understand.
If a man puts on a condom before having sex with a
woman domestic partner, it’s like calling JSON.parse() – both are guaranteed that no malicious stuff will be injected. But if a man approaches a woman domestic partner without a condom, but holding a piece of paper signed by a venereologist certifying that this man is healthy – it’s like allowing using eval(), but providing protection at the security layer of your Web application.