JS eval() function to interpret variables only

Question

I'm using eval to interpret some variables input.

Possible inputs are

"somevar"

"someobj.someprop['somekey'].someprop"

"window.someprop"

etc.

However I dont want it to 'execute' any action. Like calling any function, changing any value of anything, declaring any variable.

So those should not be accepted (and any that change state of anything):

alert()
var somewar = 0
mywar = somewar

Is it possible via native js?

My target is just to interpret complex input variable "address" and return it.

There are many QA on this topic, for example http://stackoverflow.com/questions/16564027/javascript-access-object-array-by-array-notation-string — Denys Séguret, Jun 13 '14 at 11:54
no it isn't. with es5 getters - it can run some logic. i would lock all these values into a single object. you might not want people to override `window.document`. — Daniel A. White, Jun 13 '14 at 11:55
Be wary of eval() here is a good discussion: http://www.nczonline.net/blog/2013/06/25/eval-isnt-evil-just-misunderstood/ — Alex KeySmith, Jun 13 '14 at 11:56
I've just realized that any code that change state must contain '(' or '=' — Adam Pietrasiak, Jun 13 '14 at 12:01
You could possibly use a parser generator, but it's probably overkill for what you are doing: http://pegjs.majda.cz/ — Alex KeySmith, Jun 13 '14 at 12:02

score 3 · Accepted Answer · answered Jun 13 '14 at 12:00

3

For something like this, you may be better parsing the value.

var steps = input.match(/\['(?:[^']|\\.)+'\]|\["(?:[^"]|\\.)+"\]|[a-zA-Z0-9_]+/g);
var src = window;
var step;
while(step = steps.shift()) {
    if( step.charAt(0)) {
        // ['...'] or ["..."]
        step = step.substring(2,step.length-2);
    }
    src = src[step];
}
alert(src);

Since you're parsing out the string, there's no opportunity for malicious code to be executed.

answered Jun 13 '14 at 12:00

Niet the Dark Absol

320,036
81
464
592

I've made function of it. Didnt work for like interpret("jQuery") – Adam Pietrasiak Jun 13 '14 at 12:06
Seems to work fine for me... Are you sure `window.jQuery` is defined when you call `interpret("jQuery")`? – Niet the Dark Absol Jun 13 '14 at 12:11

JS eval() function to interpret variables only

1 Answers1