Menu
I want to use eval()to resolve simple equations and logical expressions, e.g. 12*(4+3).
How safe is client side eval when the input (possibly untrusted) gets sanitized and only allows digits, +-*/()<>|&! and the words 'true' and 'false'?
Available JS parsers for equations are too big and featureful for me. I threw one together myself, however it's a lot of lines of code compared to eval'ing and it's not yet perfect.
EDIT: So yeah, I guess what I'm specifically asking is can somebody execute malicious code with nothing but digits and +-*/()<>|&! ? (I guess 'true' and 'false' are harmless)
816
Eval() in JavaScript Security Risks That's because using eval() in JavaScript can pose a major security risk. This risk comes primarily from the function's use to evaluate user input. If a savvy user comes across a text field on your site that is running eval(), they could use it to execute malicious code.
Malicious code : invoking eval can crash a computer. For example: if you use eval server-side and a mischievous user decides to use an infinite loop as their username. Terribly slow : the JavaScript language is designed to use the full gamut of JavaScript types (numbers, functions, objects, etc)… Not just strings!
An application receives queries and requests from untrusted sources that might expose the system to malicious attacks. Input sanitization ensures that the entered data conforms to subsystem and security requirements, eliminating unnecessary characters that can pose potential harm.
Answer: eval is a built-in- function used in python, eval function parses the expression argument and evaluates it as a python expression. In simple words, the eval function evaluates the “String” like a python expression and returns the result as an integer.
When you sanitize input, you risk altering the data in ways that might make it unusable. So input sanitization is avoided in cases where the nature of the data is unknown. For instance, perhaps some special characters hold significance in the data and stripping them means destroying that significance.
If eval() is there operating on user input, it eliminates the need for script tags. Eval is present in many malicious scripts because it helps obfuscate code and / or sneak prohibited characters past filters. For this reason, eval() is often checked for in user input.
ATTACK: SQL injection. Attacks which try to exploit an underlying SQL database can use faulty input sanitization to their advantage. It is important to remember, though, that input sanitization alone is not a cure-all against SQL injection. More on that in a moment.
The security issue arises when a 'bad guy' can execute Javascript in the security context of the 'innocent target guy'. In this scenario 'eval' is only a possible tool. Eval is a very powerful tool in Javascript and enables very powerful tools to be developed.
I think it's completely safe, I don't think that eval is evil. Just use it with judice,
and double check your sanitize function.
Since you're not allowing unicode letters neither _ or $ to pass sanitization, and javascript identifier must contains letter, it won't be possible to pollute the global scope, not to call functions.
from MDN page on identifiers :
Starting with JavaScript 1.5, you can use ISO 8859-1 or Unicode letters such as å and ü in identifiers. You can also use the \uXXXX Unicode escape sequences as characters in identifiers.
Remember to catch for exception thrown by eval calls, because it's always possible to enter wrong expression, e.g. 4><5.
Also, be sure that you check for characters you allow, not for these that you deny, so that characters you didn't think about are denied by default.
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
