Reputation: 10339
Issues with using eval() to execute user-supplied code?
I have a calculator widget (jsfiddle) that uses javascript's eval() function to evaluate the user's input to work as a calculator. It's an embedded widget in a chrome extension, so it doesn't have any database or anything else attached that could be hurt, and it doesn't send or receive any data.
Obviously, since it uses javascript's eval function, any javascript can be executed by this box. Is there any risk involved with this? I'm fairly new to javascript so I'm not sure what could result from the user being able to evaluate their own javascript inside this widget. Wouldn't anything they do just be reverted upon refresh?
Upvotes: 1
Views: 388
Answers (3)
Reputation:
All other "eval is evil" and "quality of code" concerns aside...
...the security concern isn't about allowing user-supplied code: the user can delete every file they own if they feel like it. Not recommended, but entirely possible.
The danger with JavaScript, be it eval() or otherwise, is allowing an attacker to run code on the users behalf (without consent), in the context of said user (ergo browser/domain).
This is known as XSS: Cross-Site Scripting:
Cross-site scripting holes are web-application vulnerabilities which allow attackers to bypass client-side security ... by finding ways of injecting malicious scripts into web pages [which may or may not involve eval], an attacker can gain elevated access-privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.
Happy coding.
Upvotes: 1
Reputation: 49919
See: "eval is evil" from Efficient JavaScript code:
The 'eval' method, and related constructs such as 'new Function', are extremely wasteful. They effectively require the browser to create an entirely new scripting environment (just like creating a new web page), import all variables from the current scope, execute the script, collect the garbage, and export the variables back into the original environment. Additionally, the code cannot be cached for optimisation purposes. eval and its relatives should be avoided if at all possible.
Upvotes: 0
Reputation: 85468
JavaScript runs on the client side, so your server is not in any imminent danger.
But this could be a problem if users could save their inputs somehow and give a link to other users, as this would allow for the execution of arbitrary JavaScript (ie: Cross-site scripting aka XSS)
Upvotes: 1
Related Questions
- Eval() not executing even though syntax is correct
- Is eval () dangerous in this Javascript code?
- why does eval() not work here?
- Using eval to execute functions
- Proper use of eval in javascript?
- How can I avoid using `eval()` in this example?
- Trying to avoid javascript eval()
- Problem with eval() in javascript
- Why eval fails here?
- Is the usage of eval() justified here?