Reputation: 361
eval-ing a user text. What's the risk?
I have an html page with a textfield for the user to put expressions like these:
(x+23)*2
((x-y)*(x+y))
x*2/z+y
The user enters them and I use the 'eval' method to execute them. Before calling eval I make a check that there is nothing dodgy (like attempting to define a function or similar).
It seems to me that I should be fine. But am I introducing a security hole because I call 'eval' on user's string. what's the risk ?
Upvotes: 1
Views: 172
Answers (7)
Reputation: 33592
What do you mean by "I make a check that there is nothing dodgy"? Blacklisting certain keywords doesn't work. For example,
eval("func"+"tion () { window.alert('haha'); }()");
As Lou said, you have to be worried when you add functionality to the page. If you add a "share this" button which makes a link to http://example.com/mypage?expr=x-1, it wouldn't be difficult to trick an unsuspecting user to click a link which stole cookies.
I'm pretty sure you can find JavaScript sandboxing out there somewhere.
Upvotes: 0
Reputation: 1026
If you are only evaling a user's code to that user on that page then you are fine. You start to get security problems when take user entered strings and eval them on other user's visits. If you aren't doing this, then there is no security hole at all. Anyone can Eval Javascript on a page they are visiting, you can't stop them.
Upvotes: 1
Reputation: 89192
The main thing to worry about is if they can form a URL and send it to someone and then have the eval be performed on another machine by clicking the URL. This would be possible if your form uses GET or even if you don't distinguish between GET/POST when you evaluate the form.
There are other things you can do to be even more sure.
Upvotes: 1
Reputation: 304215
Presumably you are filtering the string the user provides. However there is a risk that there is a sneaky way to accomplish harm that you have overlooked.
Upvotes: 0
Reputation: 3533
If you happen to have jQuery installed something like this may happen if not checked:
$.getScript("test.js");
http://api.jquery.com/jQuery.getScript/
Upvotes: 0
Reputation: 29490
The client can call javascript on its client anyway with the help of browser plugins and javascript debugging tools. It would another thing if you'd attempt to run userdefined code on the server, that would be very risky.
Upvotes: 1
Reputation: 178061
All the user can do is to evaluate stuff in the scope of this page. If the user types in horrible script, what can it do to anyone except the user him/herself?
There is nothing the user can eval in that field that could not also be put in the location bar as a bookmarklet - all is run in the scope of the client browser.
Upvotes: 0
Related Questions
- Why is using the JavaScript eval function a bad idea?
- How do I safely "eval" user code in a webpage?
- Is eval () dangerous in this Javascript code?
- Does this solution make eval secure?
- javascript eval(), controlling the input & the real dangers
- javascript eval() and security
- Is eval() evil in this case?
- In this restricted setting, could eval() cause security problems?
- Javascript security question / Using eval()
- Security risks of using eval() to execute user input in JavaScript