Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want to execute script from an editable input field when clicking a button
for example, If you type “alert(“x”);“, I want to alert you “x”, but also if you type “for(i=0;i<3;i++){alert(i);}” I want it to execute it.
How can I achieve this?
Edit: eval() is the only solution? Because I read that it is dangerous:
https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/eval#section_5
Please note that you’re taking input from the user and running it in the context of a script on your site. So the script can do anything that JavaScript running on your browser/domain would have the ability to do (including cookie stealing, XSS, drive-by malware, etc.).
The only thing you can realistically do to mitigate the risks is to not eval() user-provided content. I’d suggest to consider the following alternatives:
iframeas an environment to run user’s script:http://dean.edwards.name/weblog/2006/11/sandbox/
http://code.google.com/p/google-caja/
Happy coding!