Reputation: 150
Does this solution make eval secure?
My system needs to let end-users type a function in javascript, but I am worried XSS attack, so I have tried some solutions, like if user type some keywords, avoid save. Currently, I have an idea, but I don't know it is secure enough.
Can you tell me any weakness of this solution?
// end-user definte this port;
var userDefFunString = `function(i){
// document is undefined
return document;
}`;
// this template make keyworks become undefined, there are more, but they are to loog, so for demo purpose, I remove them.
var template = `(function secureEval(input){
var window, document, localStorage, sessionStorage = undefined;
var fun =` + userDefFunString + `
return fun(input);
})`
let secureFun = eval(template);
//the result should be true
console.log(secureFun("10") === undefined)Upvotes: 0
Views: 65
Answers (1)
Reputation: 8921
Absolutely not! I could use ; alert('Hacked') or something like:
(/* Malicious Code */, _ => console.log('Valid Input Function'))
As the input and it would already be a successful XSS. You should never accept JS as input!
You should consider creating a parser token design where you provide them a preset list of functions they can use, then parse them to code.
Just for reference, malicious actors can use a slew of resources to make their attack vectors impossible to detect. Like: JsFuck, Js Obfuscator
Upvotes: 1
Related Questions
- Why is using the JavaScript eval function a bad idea?
- Securing JavaScript eval function
- JS: Is eval really secure?
- javascript eval() and security
- Is eval() evil in this case?
- In this restricted setting, could eval() cause security problems?
- Javascript security question / Using eval()
- Is this a bad use of Javascript's eval()?
- Is this use of Javascript eval() 100% safe?
- Security risks of using eval() to execute user input in JavaScript