Is this JavaScript code safe?

大憨熊 提交于 2019-12-13 01:28:49

问题


I have found the following JS on the web.

It is a function to get url params values.

function get_url_param(param) {
  param = param.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");
  var regexS = "[\\?&]"+param+"=([^&#]*)";
  var regex = new RegExp( regexS );
  var results = regex.exec(window.location.href);
  if( results == null )
    return '';
  else
    return results[1];
}

However always when I see a exec() function I think: Eeek!

So my question is: is it safe?

Side bet: If you think this function sucks and have a better option don't hesitate to share :)

The above function uses the real url but I only need to parse a string which contains an URL.


回答1:


Regexp#exec is safe, albeit not a very nice interface.

Side bet: If you think this function sucks and have a better option don't hesitate to share :)

yeeep :-)

param = param.replace(/[\[]/,"\\\[").replace(/[\]]/,"\\\]");

This doesn't use a global regexp so you are only replacing one instance of each bracket; field[][] wouldn't work. Also you don't need the character group... param.replace(/\[/g, '\\[') would have worked. Or, the non-regexp replacement idiom, param.split('[').join('\\[').

Then:

var regexS = "[\\?&]"+param+"=([^&#]*)";

you're not escaping nearly enough characters to be able to drop them into a regexp and have them mean their literal selves. See this question for a more watertight alternative.

Anyway this kind of regex hacking still isn't a good way of parsing URLs/query strings. This doesn't deal properly with ; or %-encoding, or + for space, and it may trip on parameter lookalikes elsewhere in the URL.

Instead, let's first get the query string on its own. If you have a link or location object, you can get it from the the .search property . If you only have a string URL, you can turn it into a link object to get this reliably:

function getQueryString(url) {
    var a= document.createElement('a');
    a.href= url;
    return a.search;
}

Now you can parse it into by dropping the leading ?, splitting on & or ;, then dropping the URL-decoded results into a JS Object:

function parseQuery(query) {
    var lookup= {};
    var params= query.slice(1).split(/[&;]/);
    for (var i= 0; i<params.length; i++) {
        var ix= params[i].indexOf('=');
        if (ix!==-1) {
            var name= decodeURIComponent(params[i].slice(0, ix));
            var value= decodeURIComponent(params[i].slice(ix+1));
            if (!(name in lookup))
                lookup[name]= [];
            lookup[name].push(value);
        }
    }
    return lookup;
}

This makes it easy to look up parameters:

var url= 'http://www.example.com/?a=b&c=d&c=%65;f[]=g#h=i';
var pars= parseQuery(getQueryString(url));

alert(pars.a);      // ['b']
alert(pars.c);      // ['d', 'e']
alert(pars['f[]']); // ['g']
alert('h' in pars); // false

If you don't need to read multiple values for a parameter, you could just do lookup[name]= value instead of the if...[]...push dance, to return single string values in the lookup instead of lists.




回答2:


The .exec() you see in your function is not of the window but of the RegExp object.

So it is perfectly fine to use.




回答3:


I wouldn't confuse a Regexp exec with an eval. A little clunky but it should work.



来源:https://stackoverflow.com/questions/6948053/is-this-javascript-code-safe

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!