使用javascript eval()在输入中进行简单计算是否安全? [英] Is using javascript eval() safe for simple calculations in inputs?
问题描述
我希望允许用户在文本输入中执行简单的计算,以便键入2 * 5将得到10。我用空字符串替换除数字以外的所有内容,然后使用eval()进行计算。
I would like to allow user to perform simple calculations in the text inputs, so that typing 2*5 will result in 10. I'm replacing everything but digits with an empty string and then make calculation using eval(). This seems easier and probably faster then parsing it manually.
通常会说eval()是不安全的,所以我想听听是否存在任何危险或缺点。在这种情况下使用它。
It's often being said that eval() is unsafe, so I would like to hear is there any danger or drawback of using it in this situation.
function (input) {
value = input.value.replace(/[^-\d/*+.]/g, '');
input.value=eval(value);
}
推荐答案
那很安全,不是因为您正在对它进行消毒,但是因为它全部由用户输入并在自己的浏览器中运行。如果他们真的想输入恶意代码,则可以通过使用Firebug或Web检查器,甚至使用书签来完成。值得庆幸的是,除了锁定自己的浏览器之外,您无法用JavaScript恶意地做很多事情:)
That is safe, not because you are sanitizing it, but because it's all entered by the user and run in their own browser. If they really wanted to enter malicious code, they could do it anyway by using firebug or web inspector, or even using a bookmarklet. Thankfully, there isn't much you can do maliciously with javascript except lock up your own browser :)
这篇关于使用javascript eval()在输入中进行简单计算是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
