如何不使用eval调用存储在字符串中的胖箭头函数?
[英]How do you call fat arrow function stored in string without using eval?
问题描述
How do you call fat arrow function like below (stored in string) without using eval? 
您如何在不使用eval的情况下调用以下胖箭头功能(存储在字符串中)?
"g => { alert(g); }"
With using eval, the below code is working fine, but I want to avoid using eval. 使用eval,以下代码可以正常工作,但我想避免使用eval。
eval("g => { alert(g); }")('hello')
I hope I could do something like below using "new Function", but I have no luck so far. 我希望我可以使用“新功能”执行以下操作,但到目前为止我还没有运气。
new Function("g => { alert(g); }")('hello')
Thanks so much in advance. 非常感谢。
3 个解决方案
解决方案1
1 2018-03-14 22:24:49
The Function constructor creates a new Function object.
that said, you can easyly parse your string to use function constructor, for example: 也就是说,您可以轻松解析字符串以使用函数构造函数,例如:
const str = [g,body] = "g => { console.log(g); }".split(" => "); var myFunc = new Function(g, body); myFunc("hello"); const str2 = [args,body] = "(h,i) => {console.log(h,i);}".split(" => "); const [h,i] = args.replace(/\\(|\\)/g,"").split(","); var myFunc2 = new Function(h,i, body); myFunc2("hello","buddy");
解决方案2
1 2018-05-07 00:08:19
Anything you do, including your own JS interpreter, is going to be a functional equivalent to eval . 您所做的任何事情,包括您自己的JS解释器,都将等同于eval的功能。 Calling eval() function is not a security gap by itself. 调用eval()函数本身并不是安全漏洞。 Executing unsanitized code is what is a security issue, and that's the thing you are trying to do here. 执行未经消毒的代码是一个安全问题,这就是您要在此处尝试做的事情。 Using eval or any equivalent creates an XSS vulnerability. 使用eval或任何等效项会创建XSS漏洞。
If you use real interpreter written in JS, you may be able to sandbox the code and mitigate the risk, but it's still a grey area. 如果您使用用JS编写的真实解释器,则可以将代码沙箱化并减轻风险,但是仍然是灰色区域。
OTOH, if you have valid reasons to consider the code in question to be sanitized, there's no good reason to not use eval . OTOH,如果您有正当的理由考虑对所涉及的代码进行清理,则没有充分的理由不使用eval 。
Be aware that you can't reliably sanitize JS code. 请注意,您无法可靠地清理JS代码。 Anything can be done with very little JS syntax available , so either the code is from a trusted source or it should never be run . 几乎没有可用的JS语法可以完成任何操作 ,因此代码要么来自受信任的源,要么永远不要运行 。
All that said, perhaps the simplest way to get your function compiled with new Function is 综上所述,用new Function编译函数的最简单方法是
(new Function('return ('+code+')'))()
This is almost exact equivalent to calling eval(code) , just without any access to the local namespace. 这几乎等同于调用eval(code) ,只是没有对本地名称空间的任何访问权。 Using eval() directly should be slightly faster (omits creating unnecessary function object). 直接使用eval()应该稍微快一些(省略创建不必要的函数对象)。
解决方案3
0 2018-03-14 21:53:34
in theory, this works. 从理论上讲,这是可行的。 Still seems like a bad idea. 似乎还是个坏主意。
var fatso = "g => { alert(g); }";
var s = document.createElement("script");
s.innerText = "function callMe(f) { var a = " + fatso + "; a(f) }"
document.head.appendChild(s);
callMe("hello");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.