All geek questions in one place

Is my eval () safe?

I built a bone roller: http://howderek.com/projects/diediedie/

and I would like to implement math so that my users can perform math operations on their rolls, which is useful for RPGs.

Instead of creating a function to handle the math or using a library like math.js, I realized that since JavaScript has built-in math, this might be useful for eval().

The reason I'm worried about eval()is because adding ?q=whateverthe DieDieDie to the URL goes whateverinto the field and passes it to DieDieDie

Now, obviously, if it were just just the eval console, it would be easy to abuse and run malicious JavaScript through, but it’s not, I use RegEx before running eval()

From ( http://howderek.com/projects/diediedie/js/diediedie.js ):

if (!replaced.match(/[^0-9 | + | \- | * | \/ | ( | ) | \. | % | > | <]/g)) {
    result = eval(replaced);
} else {
    throw 'Unsafe eval (more than just math), refusing to execute.';
}

So, I was wondering if there is a way to get around RegEx and run the code, although eval()just by entering text in the field.

0
source share
1 answer

Complexity is the enemy of security, so I think it's best to implement a simple solution that you know is safe, rather than trying to come up with something more complex that might have made something safe (but no one is sure while exploit).

- HTML5 Sandbox script, , RegEx .

, (, script.example.com www.example.com). XSS, ( ).

IFrame, :

<iframe src="http://script.example.com/projects/diediedie/" sandbox="allow-scripts" />

, IFrame . , XSS.

Cheat Sheet HTML5 OWASP , :

sandbox iframe

eval ( "" RegEx), IFrame.

, , IFrame:

<iframe src="/blank.htm" sandbox="allow-scripts" id="foo" />

var sandboxSupported = "sandbox" in document.createElement("iframe");

if (sandboxSupported) {
    document.getElementById('foo').setAttribute('src', 'http://script.example.com/projects/diediedie/');
}
else
{
    // Not safe to display IFrame
}

src, , sandboxSupported false, iframe , .

( script.example.com www.example.com), HTML5 Window.postMessage, IFrame . , document.domain , .

+2

Source: https://habr.com/ru/post/1568478/

More articles:


All Articles