Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
i tried googling but didnt get a very specific answer.. then again, i might be not using the right keywords.. can someone point out the “security” issues javascript eval can cause? with examples with be very nice. will also do if you can point to an existing web resource which does the same.
Edit: I only need the security implications for eval.
eval() may be a sign of poor design. For instance, sometimes people use it to access object properties because they don’t know you can use the [] notation, i.e., eval(‘obj.’ + prop_name). It’s also a source of XSS holes if you eval() user content, since it might be interpreted as JS. It also tends to be slower than the alternatives.
This would be the most basic example of XSS while using eval() to parse JSON:
To get a hole like this you would have to be lazy about building your JSON and not escape quotes, but there are more complex examples, and using a specialized library like Douglas Crockford’s (json.org) one would avoid it.