ansaurus

Question

Answer 1

A:

All the user can do is to evaluate stuff in the scope of this page. If the user types in horrible script, what can it do to anyone except the user him/herself?

There is nothing the user can eval in that field that could not also be put in the location bar as a bookmarklet - all is run in the scope of the client browser.

mplungjan 2010-08-13 12:28:17

so am I right ? nothing to worry about ?

Lx1 2010-08-13 12:37:47

Unless you send the code somewhere else or someone else can give a url to your page where the code in the url is eval'd then I would not worry at all here. As soon as you save the code for example on a webpage with examples, the code could execute on the browser of the person who loads the page next.

mplungjan 2010-08-13 12:52:07

Answer 2

+1 A:

The client can call javascript on its client anyway with the help of browser plugins and javascript debugging tools. It would another thing if you'd attempt to run userdefined code on the server, that would be very risky.

codymanix 2010-08-13 12:28:38

nothing on the serverside. I am just evaling his textfield.is there any risk ?

Lx1 2010-08-13 12:39:42

As I said, the user is able to do anything on his machine anyway so you are not adding additional risk.

codymanix 2010-08-13 12:50:37

Answer 3

A:

If you happen to have jQuery installed something like this may happen if not checked:

$.getScript("test.js");

http://api.jquery.com/jQuery.getScript/

Im0rtality 2010-08-13 12:29:53

same asjavscript:void($.getScript("test.js")) from the location bar

mplungjan 2010-08-13 12:31:44

and so what ? what'd happen ?

Lx1 2010-08-13 12:41:28

same as if the user had pasted it into your textarea and had it eval'd. jQuery would load the script

mplungjan 2010-08-13 12:53:56

Answer 4

A:

Presumably you are filtering the string the user provides. However there is a risk that there is a sneaky way to accomplish harm that you have overlooked.

gnibbler 2010-08-13 12:30:25

like what ? assume I let any dodgy script... so what ?

Lx1 2010-08-13 12:38:08

Answer 5

+1 A:

The main thing to worry about is if they can form a URL and send it to someone and then have the eval be performed on another machine by clicking the URL. This would be possible if your form uses GET or even if you don't distinguish between GET/POST when you evaluate the form.

There are other things you can do to be even more sure.

Lou Franco 2010-08-13 12:31:13

Answer 6

+1 A:

If you are only evaling a user's code to that user on that page then you are fine. You start to get security problems when take user entered strings and eval them on other user's visits. If you aren't doing this, then there is no security hole at all. Anyone can Eval Javascript on a page they are visiting, you can't stop them.

Jake 2010-08-13 12:32:08

you said:Anyone can Eval Javascript on a page they are visiting, you can't stop them.How do you mean ?

Lx1 2010-08-13 12:40:17

javascript:window.alert(document.location)

tc. 2010-08-13 12:40:53

sorry I don't get you. what's that ?

Lx1 2010-08-13 12:42:13

It is a bookmarklet. Paste it into the location bar and the script will execute in the scope of your web page

mplungjan 2010-08-13 12:53:04

Answer 7

A:

What do you mean by "I make a check that there is nothing dodgy"? Blacklisting certain keywords doesn't work. For example,

eval("func"+"tion () { window.alert('haha'); }()");

As Lou said, you have to be worried when you add functionality to the page. If you add a "share this" button which makes a link to http://example.com/mypage?expr=x-1, it wouldn't be difficult to trick an unsuspecting user to click a link which stole cookies.

I'm pretty sure you can find JavaScript sandboxing out there somewhere.

tc. 2010-08-13 12:48:31

ansaurus

tags:

views:

answers:

eval-ing a user text. What's the risk ?

related questions