JavaScript eval() on client-side for running untrusted code
Question
I have been reviewing the threads that I can find on the security implications of using eval() on the client-side of a javascript webpage.
I am implementing a site which should allow the user to run their own code (written on the page) and see some visual results on another div on the same page.
Essentially, I want the user to be able to write valid JavaScript code, and have it manipulate a canvas on the same page.
There is no need for server-side evaluation of the code.
I have had a look at both Jailed and Caja, but I think they may be adding additional complexity that are not required.
I understand that the right way of doing this type of thing is in a "sandbox" that has no access to the rest of my codebase, however, my needs are such that I cannot actually define a simple API to provide safe entry/exit points...I want the user to be able to use any JavaScript code and I dont want to have to write an interpreter which will provide the API.
Given there is no server-side evaluation required, and there should only ever be a single user executing their own code in the web session, is it safe to use eval()?
1 answers
solution1
4 ACCPTED 2016-01-05 23:37:18
If you have no path in your logic that allows one person to publish code to be used by others then you can use eval() as it is.
Your situation is not anyhow different from any user that has browser and dev tools in it where he/she can run any code they want.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.