0

I have a javascript code created server side and passed to the client as a string by a rest request. I am trying to execute the code retrieved. Any help would be appreciated.

Server side. The javascript code stored in a string. 

(function() {

function createChart(selector) {
    $(selector).highcharts({
        chart: {
            type: 'column',
        },
        xAxis: {
            crosshair: true,
            type: "category"
        },
        yAxis: {
            min: 0,
            title: {
                text: null
            }
        },
        series: [{

            data: datas    
        }],
    });
}

function render() {
    createChart('#chart');
}
return {
    render: render
}
}())

Client side (angular js)

    .controller('ChartController', ['$scope', 'charts',function ($scope, charts) {

        var test = charts.data;//contains the javascript code send by a rest request
        eval(test); 
        test.render(); 

}])

The execution of the script in the client side returns "test.render is not a function" in chrome

Any advices ?

Thank you very much

ulquiorra
  • 931
  • 4
  • 19
  • 39
  • 1
    append a script tag to the page with the src being the serverside page – epascarello Aug 10 '15 at 16:54
  • @epascarello . I think it's a good way to do. so i need to store the string into a real javascript file server side then link it to the script tag client side right ? Thanks – ulquiorra Aug 10 '15 at 17:20
  • No you just return the script, no need to create an actual file. That is how JSONP works. – epascarello Aug 10 '15 at 17:21
  • @epascarello . I don t understand how it works because script tag point on a resource file . can you provide me some examples links please ? thanks – ulquiorra Aug 10 '15 at 17:34

3 Answers3

2

You can use eval to execute an arbitrary chunk of Javascript code but you should really, really avoid this when possible.

eval is a huge security problem since presumably you're getting that string from an outside source and who knows what they might try to run. See this question for more information on why eval is evil.

Community
  • 1
  • 1
Mike Cluck
  • 31,869
  • 13
  • 80
  • 91
  • Exactly right. using `eval()` opens the server up to malicious attack, as any externally supplied string has the power to (as an example) access the filesystem, gain control over your server processes etc. – jonny Aug 10 '15 at 16:54
  • @Mike C. Oh yeah you are right thank you, i made some researches about eval and it seems very dangerous... So what are the others safety option to eval a javascript string ? Thanks – ulquiorra Aug 10 '15 at 17:04
  • @user902509 That's it. If you're going to evaluate a string, it's not safe. I'd suggest loading in your script another way. – Mike Cluck Aug 10 '15 at 17:04
  • @Mike C. But eval is only dangerous if we can access the code by a browser right ? Because in my case it's about a mobile application . Thanks – ulquiorra Aug 10 '15 at 17:07
  • 1
    @user902509 It's dangerous no matter where you use it. Never trust user data. That's a golden rule of programming. – Mike Cluck Aug 10 '15 at 17:13
  • @Mike C . Thanks , i will use it for my local tests only until i find another solution. – ulquiorra Aug 10 '15 at 17:17
1

Use:

var result = eval(test); 
result.render();

Because your test is a string. The result of eval(test) is a function.

It is always not recommended to use eval. But if you really need it, use angular $eval instead:

If you want to eval() an Angular expression yourself, use the $eval() method.

Joy
  • 9,430
  • 11
  • 44
  • 95
  • Thanks it works but i guess it will be temporary until i find another solution because it's too dangerous but I needed it to work for my local tests. Thank you very much – ulquiorra Aug 10 '15 at 17:16
0

you should use the eval function like this :

var functionToEval = "functionName";
console.log(eval(functionToEval));

For more information on the eval function you can go see this page: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

Louis-Philippe Trempe
  • 23
  • 7