-1

I want to convert a Javascript string into an actual function which I can attach to a property and reuse.

var fn = 'function say(something) { alert(something); }';
fn.say('hello');
fn.say('world');

I don't actually want to implement this... It's pure Javascript curiosity.

Andrew
  • 5,525
  • 5
  • 36
  • 40
  • 2
    [**eval()**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) is your friend! – adeneo Jul 24 '14 at 15:12
  • 1
    @adeneo you should answer in answers :D – Raul Guiu Jul 24 '14 at 15:13
  • 1
    @RaulGuiu - eval is evil, it's not a very good answer, and the real answer is that OP shouldn't do this at all. – adeneo Jul 24 '14 at 15:15
  • I can see why he wouldn't though, since a quick Google search will yield results. – Zhouster Jul 24 '14 at 15:16
  • Before going to eval you might check out the risks associated with using it: http://blogs.msdn.com/b/ericlippert/archive/2003/11/01/53329.aspx and http://stackoverflow.com/questions/197769/when-is-javascripts-eval-not-evil are good starting references – scrappedcola Jul 24 '14 at 15:16
  • @adeneo but that is what he wants, you could add that you would not use it. – Raul Guiu Jul 24 '14 at 15:17
  • I'm not posting an answer with `eval()` in it, but you can ! – adeneo Jul 24 '14 at 15:18
  • I don't want to use it, I'm just curious how to do this within the Javascript language – Andrew Jul 24 '14 at 15:19
  • @Andrew - You don't, you find another way to do whatever it is you're trying to do ? – adeneo Jul 24 '14 at 15:22
  • Nice article on this one http://www.2ality.com/2014/01/eval.html?m=1 – V31 Jul 24 '14 at 15:23
  • The difference with my question is I want it wrapped in a function. I do not want to evaluate a result, but convert my string into usable javascript. @adeneo, as I said, it's pure curiosity. – Andrew Jul 24 '14 at 15:25
  • @Andrew See my answer. I try to address some of the concern around using `eval()` and why it is one of the most misunderstood features of JavaScript. – pje Jul 24 '14 at 16:12

1 Answers1

0

You want to use the eval() function. But what you show above would not create a property on the fn variable. It instead just creates a function that you are assigning to fn. If you want to create an object with the property say try this instead:

var fn = eval('({ say: function (something) { alert(something); }})');

This evaluates the expression that resolves to the object containing a property named say. This properties value is a function that can be called like what you described above:

fn.say('hello');

Also, despite all the flak that eval() gets, there are actually some uses for it.

  • JSON conversions
  • moving definitions between namespaces
  • minimization and obfuscation of JavaScript code
  • dynamic code rewriting and injection
  • creating metalanguages

As far as the security concerns, eval() itself does not add any tangible vulnerability to your code. Unless you are doing something grossly irresponsible (such as calling eval() on user input), there is nothing that eval introduces by its presence that wouldn't be a concern anyway. The argument often given is the security threat when evaluating content returned from the server. This threat assumes that we can't even trust the server, in which case we probably have bigger issues. Another often used argument is the man-in-the-middle attack, where someone is injecting malicious content into our resource request. Once again, if this is happening we probably have bigger concerns. If the attacker has the ability to inject malicious content into the servers response, then there is nothing preventing them from:

  • returning attacker-controlled code for JavaScript loaded via <script src="">
  • returning attacker-controlled code for JSON-P requests.
  • stealing cookies and user data without altering anything
  • returning attacker-controlled HTML and CSS used for phishing

The bottom line is that often the security threat arguments made for not using eval() are threats that will be problematic regardless of whether or not your code uses eval(). Despite what others might say, eval() is just another tool in the toolbox. Don't use it carelessly, or where another piece of code might do better. But don't disregard it entirely, even if Douglas Crockford tells you to.

Hope this helps!

References:
Secrets of the JavaScript Ninja
eval() isn't evil, just misunderstood

pje
  • 2,458
  • 1
  • 25
  • 26