javascript eval可以带来什么问题 [英] what are the issues javascript eval can pose

问题描述

我尝试谷歌搜索但没有得到一个非常具体的答案..然后，我可能没有使用正确的关键字..有人可以指出javascript eval可能导致的安全问题吗？用例子非常好。如果您可以指向同样的现有网络资源，也会这样做。

i tried googling but didnt get a very specific answer.. then again, i might be not using the right keywords.. can someone point out the "security" issues javascript eval can cause? with examples with be very nice. will also do if you can point to an existing web resource which does the same.

编辑：我只需要eval的安全隐患。

Edit: I only need the security implications for eval.

推荐答案

eval（）可能是设计不佳的标志。例如，有时人们使用它来访问对象属性，因为他们不知道你可以使用[]表示法，即eval（'obj。'+ prop_name）。如果您使用eval（）用户内容，它也是XSS漏洞的来源，因为它可能被解释为JS。它也往往比替代品慢。

eval() may be a sign of poor design. For instance, sometimes people use it to access object properties because they don't know you can use the [] notation, i.e., eval('obj.' + prop_name). It's also a source of XSS holes if you eval() user content, since it might be interpreted as JS. It also tends to be slower than the alternatives.

这是使用eval（）解析JSON时XSS最基本的例子：

This would be the most basic example of XSS while using eval() to parse JSON:

eval({"a": "b", 'c': "d" + alert("xss") + ""})

要获得这样的洞，你必须对构建你的JSON而不是逃避引号很懒，但有更复杂的例子，并使用道格拉斯克罗克福德（ json.org ）等专业图书馆，可以避免它。

To get a hole like this you would have to be lazy about building your JSON and not escape quotes, but there are more complex examples, and using a specialized library like Douglas Crockford's (json.org) one would avoid it.

这篇关于javascript eval可以带来什么问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！