stackoom
  简体   繁体   中英

Javascript security question / Using eval()

 原文  2011-08-05 13:03:18       javascript/ security/ eval

Question

I'm seeing code in the following form - is such use of eval() safe? 

function genericTakeAction(frm_name,id,pagenum,action)
{
    var rset=eval("document."+frm_name);

    var x=eval("document."+frm_name+".edit_key");
    var y=eval("document."+frm_name+".cAction")
    if(x)
        x.value=id;
    if(y)
        y.value=action;

    page_list(pagenum);
}

Its used as: 

  <a href="javaScript:;" onClick="genericTakeAction('frmSearch',
  '<?php echo $rec_id;?>','<?php echo $pagenum?>','makeOpen')" 
  class='link6'>Make Open</a>

3 answers

solution1
 5  2011-08-05 13:05:29

Whether it's right or wrong, it's needlessly complicated. 

function genericTakeAction(frm_name,id,pagenum,action)
{
    var rset = document[frm_name];

    var x = rset.edit_key;
    var y = rset.cAction;

    if(x)
        x.value=id;
    if(y)
        y.value=action;

    page_list(pagenum);
}

This works because in JavaScript, you can access an object's properties in one of two ways: Either using dotted syntax and a literal identifier, eg x = obj.foo; , or using bracket syntax and a string identifier, eg x = obj["foo"]; . (Note how foo was not in quotes in the first one, but was in quotes for the second; but both do exactly the same thing. Also note that since the property name is a string in the second case, you can use any expression that results in a string, so y = "f"; x = obj[y + "oo"]; also works.)

PS It's wrong

solution2
 1  2011-08-05 13:12:00

eval() is generally frowned upon because, as you are already aware, it is considered unsafe.

In the browser environment, however, it is less of an issue, because in fact, any user could eval() any code they wanted to, using tools like Firebug, etc.

There is still an issue, in that the eval() embedded in the code can be run without the user knowing that he was triggering an eval() , but it's still much less of an issue than in a server-side environment like PHP.

eval() is actually typically used as you've shown to run JSON code being returned from a server-side request. Newer browsers can import JSON more safely using a dedicated JSON parse() function, but older browsers do not have this function and are forced to use eval() for this. Most JSON libraries have eval() in their code somewhere for this reason, but will generally do some sanitisation of the input before running it through eval() .

solution3
 1  2011-08-05 18:31:41

Even if it might look a little bit convoluted, as others have already mentioned, from a pure security perspective, you have to make sure that the 'frm_name' parameter of the genericTakeAction() function can never contain user-supplied data.

In your example, the 'frm_name' parameter contains the hard-coded literal 'frmSearch'. So it is ok as long as this genericTakeAction() function does not get called somewhere else with user-supplied data for the 'frm_name' parameter.

See http://en.wikipedia.org/wiki/Cross-site_scripting#Traditional_versus_DOM-based_vulnerabilities

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Javascript eval question javascript eval() and security Using Javascript eval(): wondering about code security/vulnerabilities Security risks of using eval() to execute user input in JavaScript Content Security Policy 'unsafe-eval': How to avoid using eval() in javascript jquery.timer.js? javascript eval drops everything after question mark javascript jquery and using eval Alternative for using eval in Javascript Security comparison of eval and innerHTML for clientside javascript? A question about eval() in javascript… why is it evil and how can I accomplish the same thing without using it?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM