Javascript eval();

**progressive** · Jun 12th, 2002, 05:18 AM

This is an example of what it does!

Code:

name = "dave"
greeting = "hello"
eval_string =  "greeting + name";
test_string = eval(eval_string);
document.write(test_string);

the output is: hellodave

eval() has no real word programming use that I can think of because,

Code:

name = "dave"
greeting = "hello"
eval_string =  greeting + name;
document.write(eval_string);

would do exactly the same job *shrugs*!

**MrPresident2k** · Jun 12th, 2002, 06:09 AM

Hi,

Eval also calculates expressions as strings.
say for example

document.write(eval("1+1"))
will print 2, even the 1+1 is passed as string

Pres

**progressive** · Jun 12th, 2002, 07:12 AM

yes but

Code:

document.write(1+1)

would also print 2 to the browser so there really is no need for eval !

**progressive** · Jun 12th, 2002, 07:24 AM

http://developer.netscape.com:80/doc...sref/glob8.htm

**MrPresident2k** · Jun 12th, 2002, 07:33 AM

That was a nice page by u progressive.

Thanks,
Pres.

DeadEyes · Jun 13th, 2002, 07:30 AM

Care should be taken when using eval(). For example if
you are using it in combination with an input control the
user could enter malicous code which will then be executed!

**shunt** · Jun 13th, 2002, 09:02 AM

Now that last one sounds interesting....

**progressive** · Jun 13th, 2002, 10:19 AM

I can't see them being able to do anything malicious, since
javascript is clientside so they'll only be able to affect there
own machine !

Can you enlighten us DeadEyes as to what they could do ?

DeadEyes · Jun 14th, 2002, 03:56 AM

Don't take my word for it this is from Mozilla Security Reviewers Guide May 17 2002

Avoid using eval() whenever possible. Also avoid passing a string as the first argument to setTimeout() and setInterval(),
as this causes an eval(). Eval, besides being slow, provides a good avenue for inserting and running malicious code. There is
usually an alternative. If you must use eval(), be sure to verify that the string being passed to it contains an expected value.

As for what can be done I wasn't thinking in terms of the client
shooting themselves in the foot(although I did say user), but other people using your
page to do their dirty work. And just to back peddle I've always balked at the mention of eval, because i understood it to be a
risk. Where and when I first heard this I can't remember, and it's
possible it could have been a different language but I don't think
so

DeadEyes · Jun 14th, 2002, 04:18 AM

Ah yes the old heads working over time
the phrase I was looking for "Cross Server Scripting"

**progressive** · Jun 14th, 2002, 04:25 AM

I suppose if the page had frames and eval was used on an users input a DOS attack could be launched on another website.

by the user entering setTimeout(parent.someframe.location='some site', 1);

or something to that effect hmmm...

I din't know their was an eval function in JavaScript until this thread, I was aware of it in Perl though !

As I've said earlier there really is no need to use it in JavaScript anyway, but if you do you use it to evaluate a users input make sure you perform some sanity checks first, as should be done with any user input. Even more so on the server side.

eg. use regular expressions to strip out dangerous characters

Thread: Javascript eval();

Thread Tools

Display

One more use is there

Nice 1 progressive..

Posting Permissions