简体繁体 English

客户端的JavaScript eval（）用于运行不受信任的代码

[英]JavaScript eval() on client-side for running untrusted code

原文 2016-01-05 23:30:49 4 1 javascript/ eval

I have been reviewing the threads that I can find on the security implications of using eval() on the client-side of a javascript webpage. 我一直在审查我可以找到的关于在javascript网页的客户端使用eval（）的安全隐患的线程。

I am implementing a site which should allow the user to run their own code (written on the page) and see some visual results on another div on the same page. 我正在实现一个站点，该站点应该允许用户运行他们自己的代码（写在页面上）并在同一页面上的另一个div上查看一些可视化结果。

Essentially, I want the user to be able to write valid JavaScript code, and have it manipulate a canvas on the same page. 从本质上讲，我希望用户能够编写有效的JavaScript代码，并让它在同一页面上操作画布。

There is no need for server-side evaluation of the code. 不需要对代码进行服务器端评估。

I have had a look at both Jailed and Caja, but I think they may be adding additional complexity that are not required. 我已经看过Jailed和Caja，但我认为它们可能会增加不需要的额外复杂性。

I understand that the right way of doing this type of thing is in a "sandbox" that has no access to the rest of my codebase, however, my needs are such that I cannot actually define a simple API to provide safe entry/exit points...I want the user to be able to use any JavaScript code and I dont want to have to write an interpreter which will provide the API. 我知道做这种事情的正确方法是在一个“沙箱”中无法访问我的其余代码库，但是，我的需求是这样我实际上无法定义一个简单的API来提供安全的进入/退出点...我希望用户能够使用任何JavaScript代码，我不想写一个提供API的解释器。

Given there is no server-side evaluation required, and there should only ever be a single user executing their own code in the web session, is it safe to use eval()? 鉴于不需要服务器端评估，并且只有一个用户在Web会话中执行自己的代码，使用eval（）是否安全？

1 个解决方案

If you have no path in your logic that allows one person to publish code to be used by others then you can use eval() as it is. 如果您的逻辑中没有允许一个人发布其他人使用的代码的路径，那么您可以按原样使用eval() 。

Your situation is not anyhow different from any user that has browser and dev tools in it where he/she can run any code they want. 您的情况与任何拥有浏览器和开发工具的用户无关，他/她可以运行他们想要的任何代码。