var foo = "function (){ alert('meee'); }";
foo();
I have tried the above but it does not work is there any other way to execute that function without using eval?
thnx
views:
61answers:
3
A:
not that I know of... there's probably a better way to do what you're trying to do without making yourself vulnerable to a script injection attack that doesn't involve passing around javascript as a string.
vicatcu
2010-07-26 19:52:48
I know :) i have search alot about this but I need a safe one as I have read about eval well lets just say i got the impression that you might aswell give usernames, and passwords to people or delete everything urself :)
Val
2010-07-26 19:56:23
it really depends on where your javascript is coming from? if it's in a database and the only way the code strings get in there is by a secure form or what have you, you're probably ok. On the other hand, if you are letting just anyone put execute arbitrary code against your backend, yea you're probably asking for trouble. Most javascript attacks I can conceive of are mostly going to affect user interaction, rather than your database. What you're alluding to is probably a script that logs keystrokes and sends them off to a remote site via xhr posts or similar.
vicatcu
2010-07-26 20:01:44
from a html element innerhtml..
Val
2010-07-26 20:08:32
+2
A:
According to MDC. Use:
var multiply = new Function("x", "y", "return x * y");
var theAnswer = multiply(7, 6);
Anders
2010-07-26 19:54:59
I am sure i didnt ask for a maths lesson. all i want is to make a string that contains a function as text and call it. it's easy using eval, not safe and very slow.
Val
2010-07-26 19:59:51
@Val, it's an example of what you should be using, read the reference page.
Anders
2010-07-26 20:04:38
I suggest you should read it again where it says properties...`arguments Deprecated` and `arity Deprecated`
Val
2010-07-26 20:07:17
`arguments` and `arity` are just properties of the `Function` object that shouldn't be used. the `Function` function itself isn't deprecated (although again as I said before, don't use it for what you want to do!)
Claudiu
2010-08-15 01:08:12
+4
A:
you want to use the Function constructor directly, as Anders said. All arguments are strings. The last argument is the body of the function, any leading arguments are the names of the arguments the function takes.
To borrow from Anders' example,
var multiply = new Function("x", "y", "return x * y");
would be like writing
var multiply = function (x,y) {
return x * y
}
In your case, you have "function (){ alert('meee'); }" and you want to save it as a function to var foo.
var fn = "function (){ alert('meee'); }";
var foo = new Function("return ("+fn+")")();
foo();
// alerts "meee"
The difference between Function and eval is eval runs in the private scope, while Function runs in the global scope.
var x="haha", y="hehe";
function test () {
var x=15, y=34;
eval("alert('eval: ' + x + ', ' + y)");
new Function("alert('Func: ' + x + ', ' + y)")();
}
test();
// eval: 15, 34
// Func: haha, hehe
Don't try to run it in the console, you'll get a deceiving result (consoles use eval). Writing it in a <script> tag and loading it in the browser will give the true result.
no
2010-07-26 20:01:38
please not that the way the `Function` constructor creates this function is much the same as the way `eval` does. it's really just another form of `eval`, so all this really does is avoid using the word `eval` itself. but you could also do that like `window[(typeof [][0])[3] + "val"]("4 + 3")`, which gives `7`.
Claudiu
2010-08-15 00:56:46
i have to reiterate. you say you are scared of script injection or people stealing your passwords if you use `eval`. well, **THIS IS USING EVAL**!!! it's the same thing - arbitrary code is being compiled by JS and run. why do you want users to be able to supply their own functions to your code?
Claudiu
2010-08-15 01:06:59