不使用eval()从表单输入计算数据
[英]Calculate data from form inputs without using eval( )
问题描述
This past school year I graduated from high school and I am now an intern at a small internet marketing company. 
在过去的一个学年中,我从高中毕业,现在是一家小型互联网营销公司的实习生。 My current task is to develop an online price estimator so that the salespeople can quickly provide consistent estimates for our services. 我当前的任务是开发一个在线价格估算器,以便销售人员可以快速地为我们的服务提供一致的估算。 This is my first Javascript project. 这是我的第一个Javascript项目。 The most advanced thing I accomplished in js previously was a just few small and basic dom manipulation tasks. 以前,我在js中完成的最高级的操作是执行一些小的基本dom操作任务。
I found a site that has an estimator almost as robust as I need mine to be. 我发现一个网站的估算器几乎和我需要的一样强大。 So I am reading their code to figure out how it works so I can make my own version. 因此,我正在阅读他们的代码以了解其工作原理,以便自己制作自己的版本。 I was told that it is bad practice to use eval() on user submitted data. 有人告诉我,对用户提交的数据使用eval()是一种不好的做法。 So, I would like to know what to replace eval() with in this code. 因此,我想知道用这段代码替换eval()的内容。
frm = document.form1;
for (var i = 0; i < document.form1.elements.length; i++) {
if (frm.elements[i].type == 'checkbox' || frm.elements[i].type == 'radio') {
if (frm.elements[i].checked) {
v = eval("frm.val" + frm.elements[i].value);
mult = eval("frm.mult" + frm.elements[i].value);
mult = mult.value;
if (mult == '') {
mult = 1
} else {
mult = parseInt(mult)
}
hrs = hrs + parseInt(v.value) * mult;
var cur_val = frm.elements[i].title;
var make_rfp = cur_val.replace("___", mult);
document.getElementById('quote_des').value += make_rfp + "\n";
}
}
}
Here is the site I pulled this code from: https://www.designquote.net/html/dq_estimate_wizard.cfm 这是我从中提取此代码的网站: https : //www.designquote.net/html/dq_estimate_wizard.cfm
1 个解决方案
解决方案1
1 已采纳 2015-06-24 19:10:17
Eval is bad practice because it executes pure javascript and if you allow your user to type any js in a textfield and then execute that, you have built an invitation for crosssitescripting ;-) It would allow your users to change the contents on your site and even send some manipulated data back to your server - if you have one. Eval是一种不好的做法,因为它执行纯JavaScript,并且如果您允许用户在文本字段中键入任何js,然后执行该脚本,则已经为跨站脚本创建了邀请;-)它将允许您的用户更改网站上的内容并甚至将一些操作过的数据发送回服务器-如果有的话。
What you are looking for is a library like mathjs that interprets a String as a mathematical formula. 您正在寻找的是像mathjs这样的库,该库将String解释为数学公式。 You can find some more info about that here Evaluating a string as a mathematical expression in JavaScript 您可以在此处找到有关此内容的更多信息。 在JavaScript中将字符串评估为数学表达式
The other option would be to write your own formular-parser, if the libraries don't do what you need, but that would be some more work. 如果库没有满足您的需要,另一种选择是编写自己的公式解析器,但这将需要更多工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.