16

Possible Duplicate:
Why exactly is eval evil?

I read people claim that eval is unsafe when run on arbitrary user input code. I understand this in other languages that run on the server that access the filesystem, etc. However, why does this matter when executing code in a browser? After all, can't you just fire up Firebug and write any arbitrary script you want anyway? So then how is eval any different?

Community
  • 1
  • 1
Joe Armstrong
  • 1,551
  • 2
  • 10
  • 5
  • 1
    `eval()` may be a XSS attack vector, if you're not careful – PaoloVictor Jan 27 '11 at 03:01
  • 1
    please explain a little further – Joe Armstrong Jan 27 '11 at 03:04
  • See also http://stackoverflow.com/questions/197769/when-is-javascripts-eval-not-evil and http://stackoverflow.com/questions/1826859/is-there-ever-a-good-reason-to-use-eval – Phrogz Jan 27 '11 at 03:14
  • 1
    @Joel: You can check about XSS here: http://weblogs.java.net/blog/2006/09/27/preventing-cross-site-scripting-attacks . It explains how eval is not safe and vulnerable to XSS. – bertzzie Jan 27 '11 at 03:15
  • 1
    @Phrogz, only http://stackoverflow.com/questions/197769/when-is-javascripts-eval-not-evil is relevant - the others are about eval in general, this is a very different question (cause other languages are not generally run in a sandbox) – tobyodavies Jan 27 '11 at 03:37
  • 1
    @Phrogz, Having read it, http://stackoverflow.com/questions/197769/when-is-javascripts-eval-not-evil is asking the same question but none of the answers as far as i am concerned actually answer the question well in the context of JS – tobyodavies Jan 27 '11 at 03:56
  • 4
    Why was this closed? The linked "possible duplicate" is about Lisp eval whereas this one is about JavaScript eval. And the other questions linked in the comments are asking "when is eval safe" which IMHO is not the same as "why is eval unsafe". – antinome Nov 06 '13 at 18:57
  • 2
    I don't think this should be closed. This is specifically about JavaScript, where the threats posed by `eval` in server-side languages often don't apply, because JavaScript doesn't have io access. – Luke Taylor May 26 '16 at 16:25

2 Answers2

19

The danger of eval only rears its ugly head when you are serving a script written by alice to user bob for bob's browser to eval.

e.g. if bob enters his password on your page, alice could have written a keylogger in the user input you evaled and arrange for the data to be encoded in a script that bob will (unknowingly) submit to be served to alice. This is, as @Hunter2 has suggested in the comments, an XSS attack.

If you are not serving to other people, you are correct in assuming it is equivalent to firing up firebug

tobyodavies
  • 27,347
  • 5
  • 42
  • 57
1

don't think it is unsafe, for the most paranoid execute eval = null;

Kris Ivanov
  • 10,476
  • 1
  • 24
  • 35
  • 4
    This won't help. I can get most of the authority of `eval` by doing `new ((function () {}).constructor)('alert("Untrusted code")')()`. Look Ma, no globals! – Mike Samuel Jan 27 '11 at 03:27
  • that made `window` go all bonkers on me, but I'm curious: if you'd override a reference to a native through `window`, is there any way you can reference it otherwise? – Filip Dupanović Jan 27 '11 at 03:31
  • 4
    `function myEval(str){return (new Function(str))()}` is simpler and works for me :D – tobyodavies Jan 28 '11 at 08:28
  • 1
    What's the danger of this, besides evalled code throwing something? – Bryan Grace Jan 03 '21 at 23:18