I need to eval() the code inside my page because I am working on something jsFiddle-like. Since eval has such a bad reputation, how can I interpret the user input code safely and securely? Or as safely and securely as possible?
Asked
Active
Viewed 692 times
2
Toni Petrina
- 7,014
- 1
- 25
- 34
-
2Wouldn't the JavaScript code a user inputs only be a danger to them? Anyway, have you read http://stackoverflow.com/questions/6714090/how-do-i-safely-eval-user-code-in-a-webpage?rq=1? – j08691 Jan 28 '14 at 14:34
-
Here's some alternatives to eval() http://stackoverflow.com/questions/7127652/alternatives-for-javascript-eval – mparkuk Jan 28 '14 at 14:47
-
The reason eval is evil is *because* it lets you run unknown code. This is to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) and other forms of code injection. Since your whole point is to do code injection, use `eval()`, it's the tool for the job; just don't use it in situations where running 3rd party code would be a bad thing (e.g. a poor-man's `JSON.parse`). – beatgammit Jan 28 '14 at 17:05
1 Answers
1
I would suggest you have a look at the following resources:
- https://code.google.com/p/jsreg/
- https://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes
- http://www.thespanner.co.uk/2012/10/18/mentaljs-sandboxparser/
Anyway, you should consider running the code that's coming from untrusted users/sources on another domain than where your main site/content is located.
Disenchant
- 118
- 4