Home/ Questions/Q 6343737
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T20:30:12+00:00

let’s say I have a code as a following: object[hash].init(); Please assume that hash

  • 0

let’s say I have a code as a following:

object[hash].init();

Please assume that hash comes from the website hash (www.example.com#hash).

Is there any possible security holes in the code I displayed above? For instance, is it possible that I could put any code in the #hash that injects and trigger any malicious code?

Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This will be no problem, hash will not be evaluated as JavaScript code, it will be treated as a string. In case the value of hash is not a valid property name for object, object[hash] will return undefined and you will get an error (not being able to call init on undefined).

    On the other hand, if you use hash in a way where strings are evaluated as JavaScript code, then you have a security problem.

    So this is fine:

    object[hash].init();

    but this is not (even with inner quotes):

    setTimeout("object['" + hash + "'].init();", 100);

    For example if hash was a string containing

    ']; alert('foo'); object['something

    Then alert('foo'); would be executed. It would be possible to inject and execute code without breaking your code.

    That said, I would still not do it this way. It ties the code too much together. I would probable create a map of functions (which is similar to your example, but not the same):

    var hashCodes = {
    'someHash': function() {
        object.something.init();
    }
};

if(hashCodes.hasOwnProperty(hash)) {
    hashCodes[hash]();
}
    • 0