I am currently using the Google-Gson library to convert Java objects into JSON inside a web service.
Once the object has been converted to JSON, it is returned to the client to be converted into a JSON object using the JavaScript eval() function. Is the character escaping provided by the Gson library enough to ensure that nothing nasty will happen when I run the eval() function on the JSON payload?
Do I need to HTML Encode the Strings in the Java Objects before passing them to the Gson library? Are there any other security concerns that I should be aware of?
Best Answer
No, Gson is not meant to be used to securely encode JSON in all possible cases. Instead, use a library dedicated to securely parse JSON. JSON.parse is a good example.