JSLint“eval是邪恶的。”备择方案 [英] JSLint "eval is evil." alternatives

问题描述

我有一些在客户端（浏览器）和服务器上运行的JavaScript函数（在Java Rhino上下文中）。这些是小函数 - 基本上很少有验证器，它们定义良好，不依赖于全局或闭包 - 自包含和可移植。

I am have some JavaScript functions that run on both the client (browser) and the server (within a Java Rhino context). These are small functions - basically little validators that are well defined and don't rely upon globals or closures - self-contained and portable.

这是一个例子：

function validPhoneFormat(fullObject, value, params, property) {
    var phonePattern = /^\+?([0-9\- \(\)])*$/;
    if (value && value.length && !phonePattern.test(value))
        return [ {"policyRequirement": "VALID_PHONE_FORMAT"}];
    else
        return [];
}

为了保持DRY，我的服务器代码可以处理每个函数并在它们上调用toString（），将它们作为JSON对象的一部分返回给浏览器。这样的事情：

To keep things DRY, my server code gets a handle on each of these functions and calls toString() on them, returning them to the browser as part of a JSON object. Something like this:

      { "name" : "phoneNumber",
        "policies" : [ 
            { "policyFunction" : "\nfunction validPhoneFormat(fullObject, value, params, property) {\n    var phonePattern = /^\\+?([0-9\\- \\(\\)])*$/;\n    if (value && value.length && !phonePattern.test(value)) {\n        return [{\"policyRequirement\":\"VALID_PHONE_FORMAT\"}];\n    } else {\n        return [];\n    }\n}\n"
            }
          ]
      }

我的浏览器JS代码然后接受此响应并在该上下文中创建此函数的实例，如此：

My browser JS code then takes this response and creates an instance of this function in that context, like so:

eval("var policyFunction = " + this.policies[j].policyFunction);

policyFailures = policyFunction.call(this, form2js(this.input.closest("form")[0]), this.input.val(), params, this.property.name));

这一切都很有效。但是，然后我通过JSLint运行此代码，我收到此消息：

This all works very well. However, I then run this code through JSLint, and I get back this message:

[ERROR] ValidatorsManager.js：142：37：eval是邪恶的。

我很欣赏，eval可能很危险。但是，我不知道如何在不使用它的情况下实现这样的机制。有什么方法可以做到这一点，并通过JSLint验证器？

I appreciate that often, eval can be dangerous. However, I have no idea how else I could implement such a mechanism without using it. Is there any way I can do this and also pass through the JSLint validator?

推荐答案

我不担心，因为你只是将这些函数字符串从服务器传递给客户端，因此可以控制要评估的内容。

I wouldn't worry about it since you are only passing these function strings from the server to the client, and are thus in control of what will be evaluated.

另一方面，如果你正朝着另一个方向前进并在服务器上进行客户传递代码的逃避，那将是一个完全不同的故事......

On the other hand, if you were going the other direction and doing the evals of client-passed code on the server, that would be an entirely different story...

更新：

由于您的评论中禁用验证选项可能会导致您为了错过未来的错误，我建议传递函数名而不是整个函数，并在服务器和客户端上镜像函数库。因此，要调用该函数，您将使用以下代码：

As disabling the validation option in your comment may cause you to miss future errors, I would instead suggest passing the function name rather than the entire function and have the function library mirrored on the server and client. Thus, to call the function, you'd use the following code:

var policyFunction = YourLibraryName[this.policies[j].policyFunctionName];
var policyArguments = this.policies[j].policyArguments;

policyFunction.apply(this, policyArguments); 

更新2：

我能够成功地使用JSLint验证以下代码，这实际上允许您在适当的 eval 的绝大多数情况下关闭验证。同时，JSLint仍然验证正常的 eval 调用，并且此方法的所有使用都应该为将来的开发人员抛出标记以避免使用它/在可能的情况下重构/作为时间允许。

I was able to validate the following code with JSLint successfully, which essentially allows you to "turn off" validation for the vast minority of cases where eval is appropriate. At the same time, JSLint still validates normal eval calls, and all uses of this method should throw up flags for future developers to avoid using it/refactor it out where possible/as time allows.

var EVAL_IS_BAD__AVOID_THIS = eval;
EVAL_IS_BAD__AVOID_THIS(<yourString>);

这篇关于JSLint“eval是邪恶的。”备择方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！