1

I want to get the value of a property of a local object variable by using it's "fully qualified" variable name.

function foo() {
    var obj = {
        prop: "val"
    }

    var valueStr = "obj.prop";
    var value = // code here that gets value using valueStr
}

I have seen this answer for getting a global variable from a string, and I have seen this other answer for getting a property from an object using a string, but what is the simplest way to get both the object AND the property of that object all from a string? I don't want my object to have to be global.

Here is what I'm currently doing to solve this, but it requires that the object be made into a global variable.

var valueStrParts = valueStr.split(".");
var value = window[valueStrParts[0]][valueStrParts[1]];

I would prefer not to use eval(), but I will if I must. However, I need to be able to verify that the string it evaluates is sanitized and won't do anything more than access the property.

Community
  • 1
  • 1
4castle
  • 32,613
  • 11
  • 69
  • 106
  • Is obj a global variable? – Rajaprabhu Aravindasamy Mar 22 '16 at 19:29
  • Sorry, I misphrased the question. I have fixed it now – 4castle Mar 22 '16 at 19:30
  • 1
    There does not seem to be a way apart from using `eval` in that specific setup. You could however declare a single object that will hold all of your variables as properties. [See this and look how the variables are defined in the function](http://stackoverflow.com/a/16634074/1913729). You can then do `myWrappingObj[...][...]` – blex Mar 22 '16 at 19:40
  • why are you afraid to use eval? That is not evil in all situations. When you use it to alter the scope chain, then it will drain the performance. But here in your case, we are simply accessing a property. That is not going to affect anything. – Rajaprabhu Aravindasamy Mar 22 '16 at 19:43
  • @Raj I'm actually using this in order to answer [this question](http://stackoverflow.com/questions/36159506/jquery-search-dom-elements-just-after-rendering-and-replace-keys-by-its-correspo/36160682#36160682). If I do use eval, I want to be able to sanitize the string first so that I don't do anything more than access a property. – 4castle Mar 22 '16 at 19:55

1 Answers1

1

You can use eval() for this purpose,

var obj = { prop: "val" };
var valueStr = "obj.prop";
var func = function(str){ console.log(eval(str)) };
func.call(obj, valueStr);

Just change the scope where eval is executed as your object, then pass your string into that.

DEMO

Rajaprabhu Aravindasamy
  • 66,513
  • 17
  • 101
  • 130
  • For the purposes of my asking this question, I need to be able to sanitize the string first if I do use eval. The object is local for a reason. Is there a way that I can confirm that the string is only going to access a property value and nothing more? – 4castle Mar 22 '16 at 19:56
  • @4castle You can address that issue by https://jsfiddle.net/jum3hmg5/3/ Also this is vulnerability to XSS attacks. :) – Rajaprabhu Aravindasamy Mar 22 '16 at 20:04
  • Sure, but that isn't really a security improvement from what I had before. [**See this change**](https://jsfiddle.net/4castle/jum3hmg5/5/) (change described in the CSS) – 4castle Mar 22 '16 at 20:16
  • @4castle I haven't improved anything, just implemented what I had with me. And we cannot comment in that case until we see the full picture of OP's project. – Rajaprabhu Aravindasamy Mar 22 '16 at 20:18
  • Right, but I'm hoping to find a general case solution that doesn't make assumptions about variables being global or the js string being secure. Right now the security is my concern. – 4castle Mar 22 '16 at 20:27
  • Can you explain how it creates a vulnerability for XSS attacks? Now that I've looked into it for a while, I can't actually find any dangers. I'm thinking of just using the code I've already got in the fiddle. – 4castle Mar 22 '16 at 21:24
  • @4castle This is the danger, I was talking about. https://jsfiddle.net/jum3hmg5/6/ – Rajaprabhu Aravindasamy Mar 22 '16 at 21:39
  • Right, but would it be possible to hurt someone else by doing something with the url? I can only see ways for malicious code to be self-inflicted. – 4castle Mar 22 '16 at 21:52
  • @4castle That is less probable. But still anyone can do anything with that. And this injected code will affect all the users of your application not a single user session. – Rajaprabhu Aravindasamy Mar 22 '16 at 21:59