All geek questions in one place

What is the risk or inapplicability when using eval () as follows

I am working on one of these robot games. The user creates a robot, and then places it on the battlefield with other robots.

I would like users to use javascript to program their bots. I will provide a number of functions to call them, but they can also create their own. (Grade)

To date, the only solution I've come up with is to use the javascript eval () function to execute code written by users.

I want to know two things:

  • Does anyone have alternative suggested implementations that still allow users to write in javascript?

  • Can users do anything with this flaw they couldn’t do using javascript firefox debugging tools? (i.e. on its own, without using the eval () function)

Note. Javascript code is stored in mySQL. ajax is used to pull jscript and display for users. ajax is used to send javascript updates back to SQL. All code submitted by users and which will be inserted into the database is launched through the "clean ()" function.

+3
source share
5 answers

So basically you allow UserA to write javascript that will be called in the UserB browser?

If so, then that sounds like a pretty bad idea;)

, http://code.google.com/p/google-caja/wiki/CajaCajole, .

, , javascript, , .

script, "" , , fx, , Steam, .. ! iframe cdn.:)

+3

, , Narcissus . JavaScript, JavaScript.

+2

.

eval script.

" " Function. :

var command = "alert(123)";
var doStuff = new Function(command);
doStuff();

eval , Function . , , , , eval, , Function. :

javascript ( eval)

+2

AJAX JS. eval().

0

, , , , cookie , ..

, , , script.

, Javascript , , JavaScript , .

, eval() JavaScript . .

0
source

Source: https://habr.com/ru/post/1768694/

More articles:


All Articles