Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I safely "eval" user code in a webpage?

Tags:

javascript

jslint

security

eval

I'm working on a webapp to teach programming concepts. Webpages have some text about a programming concept, then let the user type in javascript code into a text editor window to try to answer a programming problem. When the user clicks "submit", I analyse the text they've typed to see if they have solved the problem. For example, I ask them to "write a function named f that adds three to its argument".

Here's what I'm doing to analyse the user's text:

  1. Run JSLint on the text with strict settings, in particular without assuming browser or console functions.
  2. If there are any errors, show the errors and stop.
  3. eval(usertext);
  4. Loop through conditions for passing the assignment, eval(condition). An example condition is "f(1)===4". Conditions come from trusted source.
  5. Show passing/failing conditions.

My questions: is this good enough to prevent security problems? What else can I do to be paranoid? Is there a better way to do what I want?

In case it is relevant my application is on Google App Engine with Python backend, uses JQuery, has individual user accounts.

like image 706
Nathan Whitehead Avatar asked Jul 15 '11 23:07

Nathan Whitehead

People also ask

What is a safe alternative to using eval ()?

An alternative to eval is Function() . Just like eval() , Function() takes some expression as a string for execution, except, rather than outputting the result directly, it returns an anonymous function to you that you can call. `Function() is a faster and more secure alternative to eval().

How can eval be harmful?

eval() is a dangerous function, which executes the code it's passed with the privileges of the caller. If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage / extension.

Why JSON eval is not recommended for use?

Your server could be compromised and the data source could be tampered with.

What is eval in HTML?

Definition and Usage The eval() method evaluates or executes an argument. If the argument is an expression, eval() evaluates the expression. If the argument is one or more JavaScript statements, eval() executes the statements.

2 Answers

So from what I can tell if you are eval'ing a user's input only for them, this isn't a security problem. Only if their input is eval'd for other users you have a problem.

Eval'ing a user's input is no worse than them viewing source, looking at HTTP headers, using Firebug to inspect JavaScript objects, etc. They already have access to everything.

That being said if you do need to secure their code, check out Google Caja http://code.google.com/p/google-caja/

like image 71
Ryan Doherty Avatar answered Oct 11 '22 14:10

Ryan Doherty

This is a trick question. There is no secure way to eval() user's code on your website.

like image 26
AlienWebguy Avatar answered Oct 11 '22 15:10

AlienWebguy
Sign in to Comment

Related questions

how to update a Django page without a page reload?
Where to begin with Smartphone Web Development? [closed]
Internet Explorer producing wrong line number for error
How to add Page Break dyanamically to Print page?
I need a JQuery IP Mask plugin
Javascript: [] = 5, No Syntax Error? Why?
How to store an array in a JavaScript cookie?
What is the getCSSCanvasContext() method of an HTML5 element?
Reading Server Side file with Javascript
JSF 2.0 AJAX: Call a bean method from javascript with jsf.ajax.request (or some other way)
Implementation of a C pre-processor in Python or JavaScript? [closed]
Why does jQuery pass the window object into their scope [duplicate]
What does this javascript response function do?
HTML5 drag & drop behaviour
Event when two SVG elements touch
How can I detect scroll end of the specified element by JavaScript?
Lazy loading images [duplicate]
JavaScript color contraster
Are there any good examples on how to organize JavaScript code?
Converting Ruby 1.9.2 code to JavaScript?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!