Chapter 10. JSON: SON of JavaScript

JavaScript, objects, and notation, oh my!

If you ever need to represent objects in your JavaScript, then you’re going to love JSON, JavaScript Standard Object Notation. With JSON, you can represent complex objects and mappings with text and a few curly braces. Even better, you can send and receive JSON from other languages, like PHP, C#, Python, and Ruby. But how does JSON stack up as a data format? Turn the page and see...

Joe: I think we might have different definitions of flawless, man. Two DOM trees to work with, and dealing with whitespace in the server’s response?

Jim: That’s a good point, Frank. Did you even check for whitespace nodes?

Frank: No, but that’s easy enough to add in—

Joe: And your code will get even more convoluted.

Frank: Hey, at least my code works. And that CSV stuff was a total bust.

Jim: It worked great! At least... well, it worked pretty well until we had data where the structure changed depending on the item.

Joe: So you’ve got broken CSV, or convoluted XML. What a choice! Good thing there’s another option.

Jim: What? What did you find?

Frank: This better not be another innerHTML fiasco...

Joe: I found JSON!

Jim and Frank: JSON? What the heck is that?

Joe: JSON is JavaScript Standard Object Notation. It’s a way to represent a JavaScript object in plain text. So the server can send us JSON—which is just text, no XML or DOM issues to deal with—and our JavaScript can work with that response as an object.

Jim: What’s the big deal about that?

Frank: Hmm. Well, if Joe’s really onto something—

Joe: I am!

Frank: —then you wouldn’t need all this DOM stuff, or even split() and other text manipulation code. You could just say, for example, var description = itemDetails.description. That would be pretty cool.

Joe: Look, here’s how it works...

JSON can be text AND an object

With CSV, comma-separated values, the CSV data was pure text. The server sent over the text, and our JavaScript had to use string manipulation routines like, split(), to turn the string into individual pieces of data.

With XML, the server sent text over, too, but that text was self-describing. So we could get a DOM representation of the text using the request object’s responseXML property. But then we had to use all those DOM methods to work with the object, instead of actual property names like description or urls.

But suppose we had a way to get text from the server, and then treat that text as a JavaScript object. Instead of using string manipulation or DOM methods, we’d just use code like item.description or itemDetails.urls. In other words, we’d have a format that was represented as text for easy network transmission, but an object when we needed to work with the data.

JSON data can be treated as a JavaScript object

When you get JSON data from a server or some other source, you’re getting text... but that text can easily be turned into a JavaScript object. Then, all you need to do is access that object’s fields using dot notation. Dot notation just means you put the object name, and then a dot, and then a field name, like this:

Note

Don’t worry... we’re going to talk about how to get the JSON data from the server in a minute.

var weakness = superman.weakness;

For instance, suppose you had an object like the one shown in the solution above. How do you think you’d access the value of the description field?

________________________________________________________

If you’re looking at your answer, and thinking it’s too simple, then you’ve probably got things just right. Working with JavaScript objects is about as easy as it gets.

So how do we get JSON data from the server’s response?

When a server sends its response as JSON data, that data comes across the network as text. So you can get that data using the responseText property of your request object:

var jsonData = request.responseText;

What the heck is this? And what do we DO with it?

JavaScript can evaluate textual data

JavaScript is pretty good at turning text into objects, functions, and lots of other things. You can give JavaScript some text, and it’s smart enough to figure out what that text represents.

For example, remember how we’ve been assigning event handlers?

JavaScript takes this textual function, and creates an actual function in memory. So when an image is clicked, the function code sitting in memory is executed. That all happens behind the scenes, though, and isn’t something you need to worry about.

But what about when you have text, and you need to TELL JavaScript to turn it into something more than text?

Use eval() to manually evaluate text

The eval() function tells JavaScript to actually evaluate text. So if you passed the text describing a statement to eval(), JavaScript would actually run that statement, and give you the result:

Evaluating JSON data returns an object representation of that data

But there’s one catch...

It looks like the object JavaScript creates from a JSON response is perfect for Rob’s rock inventory page. There’s just one thing to watch out for. You need to make sure that the overall JSON response string is seen as a single object. So when you call eval(), wrap the whole response in parentheses, like this:

Watch it!

Be sure you have JSON.php along with the JSON server-side script.

The server-side scripts for this chapter require JSON.php, which comes with this chapter’s downloads. Be sure you have all those files before going on.

JSON.php is used by the server-side script in this chapter. It handles some PHP-specific issues that make dealing with JSON easier on the server.

Frank: You’re right! His JSON code doesn’t really help much in that case. His code depends on knowing the names of the object’s properties.

Jim: Exactly. And there’s no way it works with dynamic item descriptions, where the property names change.

Frank: Hmmm. You know, I was able to solve that problem with XML. I wonder if Joe—

Jim: No way, man. You’ve always read the name of properties from your element’s tag names. His code has the property names as part of the code... they’re not even parameters to search methods like getElementsByTagName().

Frank: You’re right. I’ll bet this will hang him up pretty good.

Brain Power

What would a JavaScript object that had to change based on the specifics of an item look like?

JavaScript objects are ALREADY dynamic... because they’re not COMPILED objects

In compiled languages, you define your objects in a source file, like a .java or .cpp file. Then, you compile those files into bytecode. So once your program’s running, you’re stuck with the definitions that are compiled into bytecode. In other words, a Car object can’t suddenly have a new manufacturer property without recompilation. That lets everyone who’s using the Car object know what to expect.

Note

.cpp is for C++ code.

JavaScript, however, isn’t compiled; it’s interpreted. Things can change at any time. Not only that, but the objects the server sends are created at runtime, using eval(). So whatever’s sent to our JavaScript, that’s what we get in the itemDetails object.

We don’t need to change our object at all! We just need to know how to figure out what’s IN the object.

You can access an object’s members... and then get an object’s values with those members

JavaScript will tell you what properties an object has. You just have to ask it, using the for/in syntax. Suppose you’ve got an object called itemDetails, and you want to know what properties itemDetails has. You’d use this code to get those properties:

for (var property in hero) {
  alert("Found a property named: " + property);
}

Pretty simple, right? So the variable property would have values like id, description, price, and urls.

But we don’t want just the property names; we also want the values for each property. That’s okay, though, because JavaScript lets you access an object’s properties as if the object were an array. But instead of supplying an array index, like itemDetails[0], you supply a property name, like itemDetails["price"].

In other words, the value returned for itemDetails["price"] for an object is the value of the property named price in that object.

JavaScript does NOT give you a built-in way to see if a value is an array.

Dealing with dynamic data is tricky business. For instance, when you write in your code itemDetails.urls, you know that the value for that property will be an array. But what about itemDetails[propertyName]? Is the value for that property an array or a single value, like a string?

Unfortunately, JavaScript doesn’t give you a simple way to check and see if a value is an array. You can use the typeof operator, but even for arrays, typeof returns “object,” and not “array” like you might expect.

To help you out, here’s a little Ready Bake Code that will tell you if a value is an array or not. Add this function to the end of thumbnails.js, and then see if you can finish up your exercise from the last page.

Brain Power

Do you think isArray() belongs in thumbnails.js or utils.js? Put the function where you think it really belongs, and make any needed changes to the rest of your code now.

Good property names aren’t usually good label names, too.

Take a close look at the property names for an item’s description:

We’ve been printing out the property name and then the value for that property. But those property names look more like code than “human speak.”

Not only that, but the ID of each item is showing, too. That could wind up being a real security bug down the line.

What would YOU do to fix these problems?

Joe: Well, yeah, that’s kind of the point.

Frank: Do you really think that’s a good idea? Just running code that someone else gave you?

Joe: I’m not running it, I’m evaluating it. Haven’t you been paying attention?

Jim: Someone’s getting cranky that their JSON solution isn’t so easy...

Frank: Whether JSON’s easy or not, you can’t just evaluate that code blindly. What if it’s malicious code, like a script that hacks the user’s browser or something? Or it redirects their browser to a porn site?

Joe: Are you kidding me? It’s Rob’s server, for crying out loud!

Frank: What if it’s not correct JSON? What if there’s an error? Evaluating code with an error in it is going to generate errors for the users?

Jim: Sounds pretty dismal, Joe...

Joe: You’re both just annoyed that I was gonna win that guitar.

Frank: Hey, safety first, man. I’m telling you, you can’t go around using eval() on code that you don’t have any control over.

Joe: Great. Now what am I gonna do?

Brain Barbell

Ajax request objects can only make requests to programs on the same server that the JavaScript creating the request was served from. Does that reduce, increase, or change the dangers of using eval() on a server’s response text?

eval() evaluates what you give it, WITHOUT regard for the results of that evaluation.
You ONLY have direct control of eval() code.

You need to PARSE the server’s response, not just EVALUATE it

Calling eval() initiates a simple process: take a bit of text, and evaluate that text. What we need is an additional step. Suppose we could take a bit of text, and make sure it’s actually JSON-formatted data. Then, we could reasonably assume it’s safe to evaluate that data, and turn it into a JavaScript object.

That extra step—parsing the data and making sure the data is JSON—protects us from two important potential problems:

We’ll know that the data is safe to evaluate, and not a malicious script or program.
Note
JavaScript code, or other scripts, won’t pass a simple, “Is this JSON?” test.
We can be sure that not only is the data JSON, but it’s correctly formatted JSON and won’t cause our users any errors.
Note
A parser can catch errors and report them, instead of just giving up and creating an error.

Fortunately for Joe (and us!), the JSON website at http://www.json.org provides a JSON parser that does all of these things, and more. You can download a script from json.org called json2.js, and then use this command to parse JSON-formatted data:

Run it!

Change your code to use JSON.parse().

The examples for Chapter 10 already include json2.js in the scripts/ directory. Add a reference to this new script in inventory.html, and update your version of thumbnails.js to use JSON.parse() instead of eval().

Put the reference to json2.js before the reference to thumbnails.js since the thumbnails script uses the json2 script.

There’s still lots to do. Can YOU help Joe out?

How could you avoid showing the ID of an item when a user clicks on that item?
What about those labels? Can you figure out a way to show better, more- readable labels?
What about those URLs? Can you figure out a way to format URLs as links (using <a> elements) so they’re clickable?
And besides all that, how do YOU think Rob’s inventory page could be improved?
Don’t forget to use a JSON parser, instead of eval()!

Can you make Rob’s inventory page even cooler using JSON? Build your best version of Rob’s page, and submit your URL in the Head First Labs “Head First Ajax” forum. We’ll be giving away cool prizes for the best entries in the coming months.

Security is ALWAYS a concern when you’re programming for the web.
Always thorougly test any code that you don’t have complete control over.

So which is the better data format?

Joe: I know about lots of things I don’t like. Brussel sprouts, Melrose Place, velcro shoes... just because I know about something, doesn’t mean I like it!

Frank: I just don’t see what you really gain by using JSON. Maybe it’s a little easier for you to use, but it’s a pretty big pain when you get to dynamic data.

Jim: I don’t know, Frank... I got really confused dealing with 2 DOMs at once.

Frank: But XML is self-describing! We didn’t have any of those property-names-as-labels issues with XML.

Joe: I still think JSON lets me think in JavaScript, not some other language.

Fireside Chats

Tonight’s talk: XML and JSON go head-to-head on data formats and standardization

XML:	JSON
(glares at JSON)
	Your time has finally come, XML. Tonight, the world is gonna see that you’ve lost a step, especially when it comes to JavaScript and asynchronous applications.
I’ve heard that one before... but here I am, still the reigning data format in the world.
	You’re only at the top because people think that there’s nothing else available. I know lots of people that can’t stand you, XML... you’re big and bloated, and a real pain to work with.
I’m big because I can handle anything: product memorabilia, HTML, purchase orders... you throw it at me, I’ll take care of it. No problem. You think a little pipsqueak can handle all those different types of data? I don’t think so.
	Maybe not, but I’m fast... a lot faster than you, most of the time.
I’m plenty fast, especially if you use my attributes. And I’m versatile... I can do all sorts of things, like represent a math equation or a book.
	Yeah, well, most of my users aren’t too interested in sending math equations across the network. Besides, all those angle brackets? Ugh... anyone that knows arrays can start working with me without having to learn all that weird XML syntax.
But can someone transform you into something else? Like with XSLT? Or what about web services... you’re gonna tell me you can handle web services?
	Wow, you’ve really been a bit overused, haven’t you... you’re missing the point, Bracket-Head. I don’t care about all those things. I just care about getting information from a web page to a server and back, without a bunch of extra work... like having to crawl up and down a DOM tree. Know anyone who thinks that’s fun?
Uh, yeah. Hello? We’ve got a whole group of DOM experts out there these days, writing killer user interfaces. Did you see that Fifteen Puzzle? That was pretty cool, and it was only about 100 lines of code. Anyone that knows the DOM is ready to use XML, today!
	Look, all developers really need is a lightweight data format that’s easy to work with in JavaScript. And that’s me, Big Boy, not you.
What are all the servers going to think about this? You know, PHP and ASP.Net and Java... I don’t see them lining up to throw their support to you and your “lightweight data format” spiel.
	Well, I guess that’s true... but there are libraries that those guys can use to work with me.
Libraries? If they’ve got to use a library, why not use a standard like the Document Object Model?
	I’m already standard in PHP 5. And who knows who’s going to adopt me next?
But here I am, being used right now, because I’m already a standard. At the end of the day, you’re just one more proprietary data format. Maybe you’ve got a few more fans than comma-separated values, but I’ll put an end to that.
	Oh really? Let’s see about that...

Q:	Q: Do I need any special libraries to read JSON data?
A:	A: No. `eval()` is built into JavaScript, and it’s all you need to turn JSON data into a JavaScript object.
Q:	Q: Why should I mess with eval()? Couldn’t I just parse the raw text from the server?
A:	A: You could, but why bother? `eval()` turns all that text into a very simple object, and you can avoid counting characters and messing with `split()`.
Q:	Q: eval() just stands for evaluate, right?
A:	A: Right. `eval()` evaluates a string.
Q:	Q: So eval() runs a piece of text?
A:	A: Well, not always. `eval()` takes a string, and turns it into an expression. Then, the result of that expression is returned. So for a string like “2 + 2”, the expression would be `2 + 2`, and the result of that expression is `4`. So `4` is returned from `eval("2 + 2");` But take a string like ‘{“id”:”itemGuitar”,”price”:5695.99”}.’ Turning that into an expression and executing the expression results in a new object, not a specific “answer.” So sometimes `eval()` doesn’t really run text as much as it evaluates (or interprets) text.
Q:	Q: What are those curly braces around everything in the server’s response?
A:	A: JSON data is enclosed within curly braces: `{` and `}`. It’s sort of like how an array is enclosed within `[` and `]`. It’s just a way of telling JavaScript, “Hey, I’m about to describe an object.”
Q:	Q: And each name/value pair in the text becomes a property of the object and a value for that property?
A:	A: Right. The text “id”:”itemGuitar” in an object description tells JavaScript that there’s an `id` property, and the value of that property should be “itemGuitar.”
Q:	Q: What about the urls property? That looks sort of weird.
A:	A: urls is an array. So the property name is “urls,” and the value is an array, indicated by those opening and closing square brackets (`[` and `]`).

Q:	Q: This is all just about a data format, right?
A:	A: That’s right. Any time you send information between your web page and a server, you’re going to need some way to format that information. So far, we’ve used plain text to send requests, and text and XML to retrieve responses. JSON is just one more way to send data back and forth.
Q:	Q: If we’ve already got XML and text as options, why do we need JSON?
A:	A: Since JSON is JavaScript, it’s often a lot easier for both JavaScript programmers and browsers to work with. Also, because JSON creates a standard JavaScript object, it winds up looking more like a “business object” that combines data and functionality, instead of an untyped XML DOM tree. You can create similar objects from an XML response, but it requires a lot of additional work, with schemas and databinding tools.
Q:	Q: So JSON does things XML can’t do?
A:	A: It’s not so much that it does more; JSON actually does fewer things than XML. But what JSON does, it does simply and elegantly, without a lot of the overhead that XML requires to do all the bazillion things a more fully-featured markup language was designed to handle.
Q:	Q: Can we go back to syntax? I’m still a little fuzzy on the textual representation of an item. Can you explain how that’s working again?
A:	A: The curly braces, `{` and `}`, define an object, which is an unordered set of name/value pairs. Square brackets, `[` and `]`, indicate an ordered array. In your code, you reference elements inside curly braces by their name, but the ones inside square brackets are referenced by number. Here’s a closer look:

Q:	Q: So I shouldn’t ever use eval()?
A:	A: `eval()` is an important part of JavaScript. If you need to pass textual data to another function for evaluation, or even between scripts, `eval()` is really helpful. However, `eval()` can be a problem when you’re evaluating data that you can’t control, like from someone else’s program or server. In those cases, you won’t know ahead of time exactly what you’re evaluating. So in situations where you’re not in control of all the data, stick to a parser or some other approach other than `eval()`.
Q:	Q: But a JSON parser keeps my code safe, right?
A:	A: A JSON parser keeps your code safer than `eval()`, but that doesn’t mean you can completely relax. When you’re writing web code, security is always an issue. In the case of JSON data, `JSON.parse()` will ensure you’ve got valid JSON data, but you still don’t know what that data actually is. So you may still need additional checks before using the data in the rest of your scripts.
Q:	Q: We didn’t do any checks like that for Rob’s page. Should we?
A:	A: That’s a good question. When you’re reworking the app to help out Joe, think about the data you’re getting. Could it be used maliciously? Do you think you need additional security checks?
Q:	Q: What about that json2.js script? Can I trust and rely on that code?
A:	A: Now you’re thinking like a web programmer! Anytime you use code from another source, like from `http://www.json.org`, you should thoroughly test out the code. We’ve done that testing here at Head First Labs, and `json2.js` is safe to use.
Q:	Q: Is it free, too? Do I have to pay anyone anything to use json2.js?
A:	A: `json2.js` is free and open source. You can actually read through the source code at `http://www.json.org/json2.js`, and see what it does for yourself.
Q:	Q: So what about XML versus JSON? Which is better? And who won the guitar?
A:	A: That’s another good question. You’ve seen a lot of JSON and XML code now... which do you like best?

XML	JSON