Javascript eval()的这种使用是否100％安全? [英] Is this use of Javascript eval() 100% safe?

问题描述

我正在编写一个可生成Javascript代码的PHP库.

I'm writing a PHP library which generates Javascript code.

Javascript代码具有许多名为component001，component002等的组件.

The Javascript code has a number of components named component001, component002, etc.

页面是通过AJAX动态加载的.

Pages are loaded dynamically via AJAX.

我需要通过URL变量传递组件的名称，然后由脚本将其避开().

I need to pass the name of the component via URL variable which is then evaled() by the script.

保护正被规避的唯一方法是使用正则表达式^component[0-9]{3}$:如果通过则被规避，否则不会.

The only way I am protecting what is being evaled is with the regular expression ^component[0-9]{3}$: if it passes it gets evaled, otherwise it does not.

对我来说，这是100％安全的，因为除非它只是我的一个已知组件的名称，或者在本代码示例中可能利用了eval()命令的某些内容，否则什么都不会执行，例如正则表达式注入，某种跨站点脚本等?

To me this is 100% safe since nothing will get executed unless it is simply the name of one of my known components, or is there something about the eval() command that could be exploited in this code sample, e.g. regex injection, some kind of cross site scripting etc.?

window.onload = function() {

    // *** DEFINED IN ANOTHER JAVASCRIPT FILE:
    var component001 = 'testing111';
    var component002 = 'testing222';
    var component003 = 'testing333';

    var APP = {};

    APP.getUrlVars = function() {
        var vars = [], hash;
        var hashes = window.location.href.slice(window.location.href.indexOf('?') + 1).split('&');
        for(var i = 0; i < hashes.length; i++) {
            hash = hashes[i].split('=');
            vars.push(hash[0]);
            vars[hash[0]] = hash[1];
        }
        return vars;
    }

    APP.getUrlVar = function(name, defaultValue) {
        defaultValue = (typeof defaultValue == 'undefined') ? '' : defaultValue;
        var vars = APP.getUrlVars();
        if(vars[name] === undefined)
        {
            return defaultValue;
        } else {
            return vars[name];
        }
    }

    APP.safeEval = function(nameOfComponent) {
        var REGEX_VALID_NAME = /^component[0-9]{3}$/;
        if(REGEX_VALID_NAME.test(nameOfComponent)) {
            return eval(nameOfComponent);
        } else {
            return 'ERROR';
        }

    }

    // *** JAVASCRIPT FILE LOADED VIA AJAX:

    var nameOfComponentToDisplay = APP.getUrlVar('compname', 'component001');
    var component = APP.safeEval(nameOfComponentToDisplay);
    document.write(component);

}

推荐答案

使用eval的原因几乎为零，我认为这不是其中之一.请记住，所有对象都像字典一样工作，因此您可以简单地执行以下操作:

There is almost zero reasons to use eval and I think that this is not one of them. Remember that all objects act like dictionaries so you can simply do something like this:

var components = {
    component001 : 'testing111',
    component002 : 'testing222',
    component003 : 'testing333'
};

APP.safeEval = function(nameOfComponent) {
    var result = components[nameOfComponent];
    if(result) {
        return result;
    } else {
        return 'ERROR';
    }
}

这篇关于Javascript eval()的这种使用是否100％安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！