为什么eval中的eval不安全？ [英] Why is eval unsafe in javascript?

问题描述

可能重复：

为什么eval邪恶？

我读了人们的声明在任意用户输入代码上运行时，eval是不安全的。我在访问文件系统等服务器上运行的其他语言中理解这一点。但是，为什么在浏览器中执行代码时这很重要？毕竟，你不能只是启动Firebug并写任何你想要的任意脚本吗？那么eval有何不同？

I read people claim that eval is unsafe when run on arbitrary user input code. I understand this in other languages that run on the server that access the filesystem, etc. However, why does this matter when executing code in a browser? After all, can't you just fire up Firebug and write any arbitrary script you want anyway? So then how is eval any different?

推荐答案

eval 的危险只有当你将一个由alice写的脚本提供给bob的浏览器到eval的用户bob时，它才会变得丑陋。

The danger of eval only rears its ugly head when you are serving a script written by alice to user bob for bob's browser to eval.

例如如果bob在你的页面上输入了他的密码，alice可能已经在用户输入中编写了一个键盘记录器，你可以安排将这些数据编入bob将要编写的脚本中（在不知不觉中）服从爱丽丝。正如@ Hunter2在评论中建议的那样，这是一次XSS攻击。

e.g. if bob enters his password on your page, alice could have written a keylogger in the user input you evaled and arrange for the data to be encoded in a script that bob will (unknowingly) submit to be served to alice. This is, as @Hunter2 has suggested in the comments, an XSS attack.

如果你没有为其他人服务，你认为它等同于射击是正确的萤火虫

If you are not serving to other people, you are correct in assuming it is equivalent to firing up firebug

这篇关于为什么eval中的eval不安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！