发表新帖
发表新帖

what are the issues javascript eval can pose

后端 未结
关注
4 973
梦谈多话
梦谈多话 2021-01-22 22:15

i tried googling but didnt get a very specific answer.. then again, i might be not using the right keywords.. can someone point out the \"security\" issues javascript eval can c

相关标签:
4条回答
  • 名媛妹妹
    2021-01-22 22:55

    Performance

    The eval function parses a string as code, which is quite a lot more work than for example accessing a property.

    Consider the effect of eval('myForm.'+field+'.value') compared to myForm[field].value.

    Structure

    Almost always when the eval function is used, there is a more stuctured way to do it. Avoiding using the eval function causes you to come up with a better solution to the problem.

    Consider the effect of using dynamic variables names like eval('myVars'+i) compared to using an array like myArray[i].

    0 讨论(0)
  • 一向
    2021-01-22 23:04

    The security implications are that if the parameters to eval() are fetched from some third party (User input, Web Service, etc), you may be running someone elses code which may do something you don't expect.

    Why is this important? Imagine you are using some third party web service to enrich your user's experience, perhaps fetching information from facebook, and that web service gets hacked. Now the hacker can execute javascript code on your page, because you eval() some of the results from the web service, making the hacker able to inject anything in your DOM, infecting your users with trojans etc.

    Now, if you hadn't used eval(), all that would have happened is that you'd have gotten bad data which you may have displayed or even, if you're a studious programmer, displayed an error message regarding the particular data.

    0 讨论(0)
  • 时光取名叫无心
    2021-01-22 23:07

    eval() may be a sign of poor design. For instance, sometimes people use it to access object properties because they don't know you can use the [] notation, i.e., eval('obj.' + prop_name). It's also a source of XSS holes if you eval() user content, since it might be interpreted as JS. It also tends to be slower than the alternatives.

    This would be the most basic example of XSS while using eval() to parse JSON:

    eval({"a": "b", 'c': "d" + alert("xss") + ""})

    To get a hole like this you would have to be lazy about building your JSON and not escape quotes, but there are more complex examples, and using a specialized library like Douglas Crockford's (json.org) one would avoid it.

    0 讨论(0)
  • 名媛妹妹
    2021-01-22 23:07

    In general, there is almost always an alternative method that will be:

    • Faster
    • Easier to read
    • Easier to debug if it goes wrong
    • Have a lower probability of breaking on unexpected user input
    0 讨论(0)
 看不清?
提交回复
热议问题