0

I am building a simple javascript code editor for purposes of training (like codepen without all its functionality). For the same, I am using ace-editor to get the code entered by the student. However, for purposes of executing the code, almost everyone seems to warn not to use eval or new Function(...).

I am expecting the code written by the student to access DOM elements (like canvas etc) of the page.

Any suggestions on the above use case would be welcome. Thanks

RmR
  • 1,917
  • 1
  • 22
  • 35
  • In `eval` documentation is also presented a safe way of doing the same : https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval `Fortunately, there's a very good alternative to eval(): using window.Function(). See this example of how to convert code using a dangerous eval() to using Function(), see below.` – ikiK Mar 12 '21 at 12:15
  • Thanks @AndrewEvt/ @iKiK. Let me check the above links. I am using the new Function method as of now. I will update this post after my "eval"!! – RmR Mar 12 '21 at 12:17
  • 1
    Wow, beware @ikiK, what they mean here by "better" is **only** bettter in terms of performances. `Function` doesn't add **any** security over `eval`. I should probably either edit this page or open an issue when I'll get time. If you don't trust the input, don't pass it to `Function` either. The only secure way is to use a sandboxed iframe like services like StackSnippets, or jsfiddle do. – Kaiido Mar 12 '21 at 12:31
  • @ikiK it's "less dangerous" the same way being hit with a boxing glove by a heavy weight champion is less dangerous than being hit without a boxing glove. In both cases it's going to hurt a lot and you can get injured. Running code through `new Function` removes access to local variables, for example, *however*, it's still just executing the code. Arbitrary code running is still arbitrary code running. – VLAZ Mar 12 '21 at 12:37
  • @Kaiido I am not native English speaker, but how can I interpret this wrong: `More importantly, a third-party code can see the scope in which eval() was invoked, which can lead to possible attacks in ways to which the similar Function is not susceptible.` And this: `how to convert code using a dangerous eval() to using Function()` And it is mozilla docs? – ikiK Mar 12 '21 at 12:45
  • That's why I said I have to either edit this page or to open an issue. This article is "dangerously" misleading. – Kaiido Mar 12 '21 at 12:46
  • @Kaiido Oh ok, I wasn't thinking you are referring to that article., can you point me to some other solutions, articles, examples? I have been relaying on mozzila alone for eval. – ikiK Mar 12 '21 at 12:47
  • Well I did close this question as a dupe of an other one, where the most upvoted answer quotes OWASP (far more reliable than MDN for security concerns) and says what I was saying in my first comment: "The only secure way is to use a sandboxed iframe" – Kaiido Mar 12 '21 at 12:50
  • @Kaiido Oh sorry, I haven't noticed it was closed in mid-time... Thanks. – ikiK Mar 12 '21 at 12:51
  • 1
    @ikiK as I said, `new Function` will remove the local variables *however* that doesn't mean the code is safe. `new Function("for (;;);")` doesn't rely on any local variables and if executed will block the UI thread. The only "danger" MDN is talking about is local variable access *which is not the extent of all malicious code!* `new Function("window.Date = function() {};")` can also tamper with everything that's happening on the page. It still doesn't rely on any local variables. – VLAZ Mar 12 '21 at 13:05

0 Answers0