> Thanks. Why do you think that this is a bug?

"bug" may be a hard word 🙂 But there is no forum for "potential security risks" ....

It may be an unecessary security risk - as eval() may have side effects. (probably the reason for the "protect against while(1) at the beginning)

Mozilla took its time to implement the global JSON-object for a reason - as eval() has to take more care then "unserialize an object". I did not time it, but would bet that on recent browser native JSON.parse is faster then eval()

Thanks for that .extend - that can help me in other situations, too!

best wishes

Harald

Thanks. Why do you think that this is a bug?

Also do the following - after you load the jqGrid JS files include in your load the ultra-opimized JSON-parser and do the following

This will overwrite the jqGrid parse function.

Regards

Tony

parse : function(jsonString) {
        var js = jsonString;
        if (js.substr(0,9) == "while(1);") { js = js.substr(9); }
        if (js.substr(0,2) == "/*") { js = js.substr(2,js.length-4); }
        if(!js) { js = "{}"; }
        with(window) {
            return  eval('('+js+')');
        }
    },

using eval() poses quite some hacking potential; and better browser nowadays have included an ultra-opimized JSON-parser with the global JSON object. An easy substitute is to:

a) include

http://www.json.org/json2.js

(public domain code)

b) replace that lines with
    parse : function(jsonString) {
        return JSON.parse(jsonString);
    },

json2.js makes sure that the native browser JSON-parser gets used if available, and otherwise is better protected against injection of malicous code.

Harald