Menu
I have a javascript file that reads another file which may contain javascript fragments that need to be eval()-ed. The script fragments are supposed to conform to a strict subset of javascript that limits what they can do and which variables they can change, but I want to know if there is some way to enforce this by preventing the eval from seeing variables in the global scope. Something like the following:
function safeEval( fragment ) { var localVariable = g_Variable; { // do magic scoping here so that the eval fragment can see localVariable // but not g_Variable or anything else outside function scope eval( fragment ); } } The actual code doesn't need to look like this--I'm open to any and all weird tricks with closures, etc. But I do want to know if this is even possible.
614
Malicious code : invoking eval can crash a computer. For example: if you use eval server-side and a mischievous user decides to use an infinite loop as their username. Terribly slow : the JavaScript language is designed to use the full gamut of JavaScript types (numbers, functions, objects, etc)… Not just strings!
An alternative to eval is Function() . Just like eval() , Function() takes some expression as a string for execution, except, rather than outputting the result directly, it returns an anonymous function to you that you can call. `Function() is a faster and more secure alternative to eval().
The eval() function evaluates JavaScript code represented as a string and returns its completion value.
It is a possible security risk, it has a different scope of execution, and is quite inefficient, as it creates an entirely new scripting environment for the execution of the code. See here for some more info: eval.
Short answer: No. If it's in the global scope, it's available to anything.
Long answer: if you're eval()ing untrusted code that really wants to read or mess with your execution environment, you're screwed. But if you own and trust all code being executed, including that being eval()ed, you can fake it by overriding the execution context:
function maskedEval(scr) { // set up an object to serve as the context for the code // being evaluated. var mask = {}; // mask global properties for (p in this) mask[p] = undefined; // execute script in private context (new Function( "with(this) { " + scr + "}")).call(mask); } Again, I must stress:
This will only serve to shield trusted code from the context in which it is executed. If you don't trust the code, DO NOT
eval()it (or pass it to newFunction(), or use it in any other way that behaves likeeval()).
137
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
