Home/ Questions/Q 8212623
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T10:49:12+00:00

I am using the ubiquitous jquery validate plugin for form validation. It supports using

  • 0

I am using the ubiquitous jquery validate plugin for form validation. It supports using the metadata plugin for adding validation rules to form elements.

I am using this functionality. When validate looks for those rules it makes this call on the element:

$(element).metadata()[meta]

where meta is the prefix where you store those rules. for example

<input data-validate="{maxLength: 12}" name='foo'/>

the value of meta would be set to ‘validate’ to pick up these attributes. But there is a major problem here!

Here is what the metadata plugin does to parse the data attributes into json:

var getObject = function(data) {
    if(typeof data != "string") return data;
    data = eval("(" + data + ")"); //oh no!!!!!
    return data;
} 

if ( settings.type == "html5" ) {
    var object = {};
    $( elem.attributes ).each(function() {
        var name = this.nodeName;
        if(name.match(/^data-/)) name = name.replace(/^data-/, '');
        else return true;
        object[name] = getObject(this.nodeValue);
    });
}

So what ends up happening is that metadata parses ALL data-* attributes and tries to eval the contents! This breaks stuff as soon as you include a data attribute that doesnt contain json.

Now the question:

It seems like metadata and validate are both ‘tried and true’ plugins. Is this a known side effect of using the metadata plugin that people just live with?

I usually dont like modifying plugin code to suite my projects needs but this seems like i should either:

  • fix the metadata plugin to not blindly eval stuff, and not use eval or
  • fix the validate plugin to use .data() instead of the metadata plugin

Also, is there some other way around this other then modifying the metadata plugin

post bounty edit:
I should have made this clearer, I would be interested in some discussion on how this might have happened. how a bug of this magnitude might exist in both a canonical validation plugin and a plugin that ive seen used everywhere written by resig.

A fix is simple and i have already applied it (i chose to modify validate plugin to use $.data when ‘meta’ was defined) – what i am giving 150 points for here are thoughts about why this is still a problem (or maybe it isnt!)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As you’ve discovered, the “fault” (using eval) lies with the metadata plugin, not the validate plugin.

    The version of the metadata plugin you linked to is actually a fork; the jQuery team has the official repo. If you look at the commit history, you’ll see that there hasn’t been any real code updates since 2007. The plugin has been officially deprecated since April 2011.

    (John Resig blogged about HTML5 data- attributes in July 2008, and support in jQuery core arrived in 1.4.3, which was released in October 2010.)

    So I guess the answer to your question of “how this might have happened”, is that you’re not suppose to be using the plugin anymore 🙂

    (Update: The “official” repo is now under “Projects Orphaned by the jQuery Foundation”.)

    As for the validate plugin, aside from some of the demos and the meta option, I can’t find any mention of the metadata plugin in the documentation. There is ongoing work to add support for data- attributes and deprecate the metadata plugin, so hopefully when the next version is ready the metadata plugin can finally be abandoned.

    • 0