Jim Washington wrote: > I'm still working on yet another parser for JSON (http://json.org).
Hi, Jim. > The only problem is, it uses eval(). It's important to sanitize the > incoming untrusted code before sending it to eval(). > Does anyone know of any other "gotchas" with eval() I have not found? Or > is eval() simply too evil? I'd say that eval is just too evil. I do wonder if it would be possible to use eval by working from the other direction. Instead of trying to filter out dangerous things, only allow a *very* strict set of things in. For example, since your doing JSON, you don't even need to allow multiplication. If you only allowed dictionaries with string keys and a restricted set of types as values, you'd be pretty close. But once you're at that point you might as well use your own parser and not use eval at all. <shrug> -- Benji York -- http://mail.python.org/mailman/listinfo/python-list
