Here is the official JavaScript official parser :
// In the second stage, we run the text against regular expressions that look // for non-JSON patterns. We are especially concerned with '()' and 'new' // because they can cause invocation, and '=' because it can cause mutation. // But just to be safe, we want to reject all unexpected forms. // We split the second stage into 4 regexp operations in order to work around // crippling inefficiencies in IE and Safari regexp engines. First we // replace the JSON backslash pairs with '@' (a non-JSON character). Second, we // replace all simple value tokens with ']' characters. Third, we delete all // open brackets that follow a colon or comma or that begin the text. Finally, // we look to see that the remaining characters are only whitespace or ']' or // ',' or ':' or '{' or '}'. If that is so, then the text is safe for eval. if (/^[\],:{}\s]*$/. test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@'). replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, ']'). replace(/(?:^|:|,)(?:\s*\[)+/g, ''))) { // In the third stage we use the eval function to compile the text into a // JavaScript structure. The '{' operator is subject to a syntactic ambiguity // in JavaScript: it can begin a block or an object literal. We wrap the text // in parens to eliminate the ambiguity. j = eval('(' + text + ')'); ...
Except for the built-in JSON parsing support found in modern browsers, this is all (library-based) protected by JSON Parsers (i.e., Regular Expression before eval ).
Protected libraries (in addition to the official json2 implementation)
The prototype isJSON .
Mootools JSON.decode function (again, via regex before eval ).
Unsecured Libraries :
dojo fromJson does not provide secure eval ing. Here is their entire implementation (minus the comments) :
dojo.fromJson = function(json) { return eval("(" + json + ")"); }
jQuery does not provide secure JSON eval 'ing, but see the official secureEvalJSON plugin (line 143).