Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is using javascript eval() safe for simple calculations in inputs?

I would like to allow user to perform simple calculations in the text inputs, so that typing 2*5 will result in 10. I'm replacing everything but digits with an empty string and then make calculation using eval(). This seems easier and probably faster then parsing it manually.

It's often being said that eval() is unsafe, so I would like to hear is there any danger or drawback of using it in this situation.

function (input) {
  value = input.value.replace(/[^-\d/*+.]/g, '');
  input.value=eval(value);
}
like image 406
Oskar Skuteli Avatar asked Dec 24 '12 11:12

Oskar Skuteli


2 Answers

That is safe, not because you are sanitizing it, but because it's all entered by the user and run in their own browser. If they really wanted to enter malicious code, they could do it anyway by using firebug or web inspector, or even using a bookmarklet. Thankfully, there isn't much you can do maliciously with javascript except lock up your own browser :)

like image 198
marcus erronius Avatar answered Oct 13 '22 18:10

marcus erronius


this is safe because you are doing input validation before you put it into eval.

besides you should also add:

()%

like image 32
GottZ Avatar answered Oct 13 '22 18:10

GottZ