I am writing a PHP library that generates Javascript code.
Javascript code contains several components named component001 , component002 , etc.
Pages are loaded dynamically through AJAX.
I need to pass the component name through a URL variable, which is then omitted () using a script.
The only way to protect what evades is with the regular expression ^component[0-9]{3}$ : if it passes, it will be nullified, otherwise it will not.
For me, this is 100% safe, because nothing will be done if it is just the name of one of my known components, or something in the eval() command that can be used in this code example, for example, regular expression injections, some kinds scripts on different sites, etc.
window.onload = function() { // *** DEFINED IN ANOTHER JAVASCRIPT FILE: var component001 = 'testing111'; var component002 = 'testing222'; var component003 = 'testing333'; var APP = {}; APP.getUrlVars = function() { var vars = [], hash; var hashes = window.location.href.slice(window.location.href.indexOf('?') + 1).split('&'); for(var i = 0; i < hashes.length; i++) { hash = hashes[i].split('='); vars.push(hash[0]); vars[hash[0]] = hash[1]; } return vars; } APP.getUrlVar = function(name, defaultValue) { defaultValue = (typeof defaultValue == 'undefined') ? '' : defaultValue; var vars = APP.getUrlVars(); if(vars[name] === undefined) { return defaultValue; } else { return vars[name]; } } APP.safeEval = function(nameOfComponent) { var REGEX_VALID_NAME = /^component[0-9]{3}$/; if(REGEX_VALID_NAME.test(nameOfComponent)) { return eval(nameOfComponent); } else { return 'ERROR'; } } // *** JAVASCRIPT FILE LOADED VIA AJAX: var nameOfComponentToDisplay = APP.getUrlVar('compname', 'component001'); var component = APP.safeEval(nameOfComponentToDisplay); document.write(component); }
source share