用于评估简单数学字符串的JavaScript,如5 * 1.2(eval / white-list?) [英] JavaScript to evaluate simple math string like 5*1.2 (eval/white-list?)
问题描述
我有一个输入onchange,它将 05008
等数字转换为 5,008.00
。
I have an input onchange that converts numbers like 05008
to 5,008.00
.
我正在考虑对此进行扩展,以便进行简单的计算。例如, 45 * 5
将自动转换为 225.00
。
I am considering expanding on this, to allow simple calculations. For example, 45*5
would be converted automatically to 225.00
.
我可以使用字符白名单()+ / * - 0123456789。
,然后将结果传递给 eval
,我认为这些字符可以安全地防止任何危险的注射。假设我使用了适当的 try
/ catch
,因为可能会产生语法错误。
I could use a character white-list ()+/*-0123456789.
, and then pass the result to eval
, I think that these characters are safe to prevent any dangerous injections. That is assuming I use an appropriate try
/catch
, because a syntax error could be created.
-
这是一个好的白名单,然后将其传递给
eval
?
建议修改白名单
您是否建议使用其他方法(也许已经有一个功能可以做到这一点)
Do you recommend a different approach (maybe there is already a function that does this)
我宁愿保持它的轻量级。这就是我喜欢 eval
/ white-list方法的原因。非常少的代码。
I would prefer to keep it lightweight. That is why I like the eval
/white-list approach. Very little code.
你推荐什么?
推荐答案
白名单看起来对我来说是安全的,但这不是一个简单的问题。在某些浏览器中,例如,像这样的eval-string:
That whitelist looks safe to me, but it's not such a simple question. In some browsers, for example, an eval-string like this:
/.(.)/(34)
相当于:
new RegExp('.(.)').exec('34')
因此返回数组 ['34','4']
。这是安全吗?
and therefore returns the array ['34','4']
. Is that "safe"?
因此虽然这种方法可能会安全地运作,但这可能是一个非常棘手的主张。如果你继续这个想法,我认为你应该使用很多更积极的方法来验证你的输入。你的原则应该是这是一个明确定义的字符串集合中的成员,已知为'安全',而不是这是一个不明确的字符串集合的成员,排除了所有已知的'不安全的字符串。此外,为了避免操作员偷看您未考虑的任何风险(例如 ++
或 + =
或者诸如此类的,我认为你应该在每个非数字非点字符前插入一个空格;并且为了避免括号触发函数调用的任何风险,我认为您应该通过反复替换(...)
并使用空格加上评估<$的结果来自己处理它们c $ c> ... (确认结果是一个数字后)加上一个空格。
So while the approach can probably be made to work safely, it might be a very tricky proposition. If you do go forward with this idea, I think you should use a much more aggressive approach to validate your inputs. Your principle should be "this is a member of a well-defined set of strings that is known to be 'safe'" rather than "this is a member of an ill-defined set of strings that excludes all strings known to be 'unsafe'". Furthermore, to avoid any risk of operators peeking through that you hadn't considered (such as ++
or +=
or whatnot), I think you should insert a space in front of every non-digit-non-dot character; and to avoid any risk of parentheses triggering a function call, I think you should handle them yourself by repeatedly replacing (...)
with a space plus the result of evaluating ...
(after confirming that that result is a number) plus a space.
(顺便问一下,怎么回事 =
是否在您的白名单中?我无法弄清楚这对哪些有用!)
(By the way, how come =
is in your whitelist? I just can't figure out what that's useful for!)
这篇关于用于评估简单数学字符串的JavaScript,如5 * 1.2(eval / white-list?)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!