JSLint “eval is evil.” alternatives

后端 未结 7 1363
别那么骄傲
别那么骄傲 2021-02-13 22:49

I am have some JavaScript functions that run on both the client (browser) and the server (within a Java Rhino context). These are small functions - basically little validators

7条回答
  •  清酒与你
    2021-02-13 23:22

    With very little parsing you could have had it like so:

    var body = this.policies[j].policyFunction.substr;
    body = body.substr(body.indexOf("(") + 1);
    var arglist = body.substr(1, body.indexOf(")"));
    body = body.substr(arglist.length + 1);
    var policyFunction = new Function(arglist, body);
    

    Which would provide a bit of validation, avoid the literal use of eval and work synchronously with the code. But it is surely eval in disguise, and it is prone to XSS attack. If the malevolent person can get their code loaded and evaluated this way - it will not save you. So, really, just don't do it. Add a

提交回复
热议问题