在这里使用 eval() function 安全吗?
[英]Is the eval() function safe to use here?
问题描述
I'm learning DOM Scripting with JavaScript and thought it nice to make a simple calculator app, I found the logic easy enough to do but ran into a problem using parseInt to convert the string type arithmetic expression to number type arithmetic expression.
我正在使用 JavaScript 学习 DOM 脚本,并认为制作一个简单的计算器应用程序很好,我发现逻辑很容易做到,但是使用 parseInt 将字符串类型算术表达式转换为数字类型算术表达式时遇到了问题。
I ended up having to use the eval() function which worked fine for a basic calculator app but on further research I found out the eval() function is a security risk in most casese, I've used a regex expression to cleanse the result but don't know if this is safe enough.我最终不得不使用 eval() function,它适用于基本的计算器应用程序,但在进一步研究中我发现 eval() function 在大多数情况下存在安全风险,我使用正则表达式来清理结果但不知道这是否足够安全。
Here is the code snippet I'm unsure is safe to be executed on the client browser.这是我不确定在客户端浏览器上执行是否安全的代码片段。
const equals = document.getElementById("equals");
equals.addEventListener("click", (e) => {
document.getElementById("result").innerText = eval(document.getElementById("result").innerText).replace(/[^**-+/*\d]/g, '');
});
NOTE: This code is deployed as a static site on Netlify.注意:此代码在 Netlify 上部署为 static 站点。
1 个解决方案
解决方案1
0 2023-01-29 01:05:36
You should definitely stop using eval() .你绝对应该停止使用eval() 。
Executing JavaScript instructions from a string opens up a huge security risk that makes it easy for would-be third-party attackers to inject potentially malicious code into your application without your knowledge or permission.从字符串执行 JavaScript 指令会带来巨大的安全风险,这使得潜在的第三方攻击者很容易在您不知情或未经许可的情况下将潜在的恶意代码注入您的应用程序。
Another reason not to use eval() , in my view, is that some sources have already marked it as obsolete or deprecated and it is being blocked by default in some environments due to its security risks and slow performance.在我看来,不使用eval()的另一个原因是,一些来源已经将其标记为过时或已弃用,并且由于其安全风险和性能低下,在某些环境中它被默认阻止。 In other words, support for eval() is at issue and there is a push to possibly phase it out from future versions of Javascript. That means anything you've built that uses it has the potential to eventually stop working.换句话说,对eval()的支持存在问题,并且有可能从 Javascript 的未来版本中逐步淘汰它。这意味着您构建的任何使用它的东西都有可能最终停止工作。
The good news is eval() has been on its way out for a quite while now so there are plenty of much better, much more secure ways to accomplish just about everything you'd use eval() for.好消息是eval()已经退出一段时间了,所以有很多更好、更安全的方法来完成几乎所有你使用eval()的事情。 In fact, the code snippet you shared doesn't need eval() at all.事实上,您共享的代码片段根本不需要eval() 。
The innerText property you are updating is directly accessible from within the DOM .您正在更新的innerText属性可以直接从DOM中访问。 While we're on the subject, avoid using the innerHTML property.当我们讨论这个主题时,请避免使用innerHTML属性。 It too poses security risks similar to eval() .它也带来类似于eval()的安全风险。
This code here should address your concerns:这里的代码应该可以解决您的问题:
const equals = document.getElementById("equals");
equals.addEventListener("click", (e) => {
let result = document.getElementById("result");
result.innerText = result.innerText.replace(/[^**-+/*\d]/g, '');
return true;
});
The only place in a calculator app I can think of where a developer might be tempted to use eval() would be to run it's actual calculations.在计算器应用程序中,我能想到的唯一一个开发人员可能会想使用eval()的地方就是运行它的实际计算。 It's sort of a cheat to just feed an entire mathematical expression to eval() rather than construct a proper parser.将整个数学表达式提供给eval()而不是构建适当的解析器有点作弊。 I suppose it works (for now) but it's a bad practice.我想它(目前)有效,但这是一种不好的做法。
I built a little calculator app you are welcome to study that performs all the key operations one expects a calculator to do without touching eval() .我构建了一个小型计算器应用程序,欢迎您学习它执行人们期望计算器执行的所有关键操作而无需触及eval() 。 Feel free to check it out: https://calc-work.webflow.io .请随时查看: https://calc-work.webflow.io 。
Hope you find this helpful.希望你觉得这有帮助。 Cheers!干杯!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.