Creating an online math tutorial, I want users on my site to define (math) functions that, by definition, are free from side effects. The easiest way to achieve this is to do the following
var user_function = eval ("(function (x) { return (" + user_code + "); })");
If users log in x*x, it user_functionwill contain a function that calculates the square of its argument.
Now this opens my page for cross-site scripting and malicious code.
Is there a way to avoid this other than writing the expression parser myself? In other words, I want to allow the execution of functions in a well-defined context, for example, without a function that accesses global variables.
Johnb source
share