Menu
Anyone tried this method of disabling all unthoughtful use of eval() in an application?
[code]
var unsafe_eval = eval;
eval = function() {alert(‘Eval is unsafe. Call unsafe_eval() if you understand the consequences.’)};
Developers can still call unsafe_eval(suspicious_string) if they have a legitimate reason to, but ordinary attempts to call eval(suspicious_code) will fail.
Or for the truly paranoid (barring any advanced use of AJAX or 3rd party add-ins):
[code]
eval = null;
Your thoughts?
Cheers,
-Brendan
There's a simpler method: [I]don't use [B]eval()[/B][/I]. [/QUOTE]
For the rare cases when you have to use it (parsing JSON object data) you may use the JSON parser:
http://www.json.org/json_parse.js
And even in this case there is method to avoid eval():
http://code.google.com/p/json-sans-eval/ [/QUOTE]
Your unsafe_eval will just return whatever you set eval to- if you set eval to an alert,
or to null, that's what unsafe_eval will return.[/QUOTE]
<i> </i> alert (eval('1+1')); //says "2"
<i> </i> //Do switch
<i> </i> unsafe_eval = eval;
<i> </i> eval = function () {alert ('eval is a bad idea. Call unsafe_eval() if you understand the consequences.'); return null};
<i> </i> alert (eval('1+1')); //says "eval is a bad idea..." then says "null"
<i> </i> alert (unsafe_eval('1+1')); //says "2"
<i> </i>
I agree. That's why I'm thinking of taking it a step further - and [i]preventing[/i] myself or other developers from even using it in the first place.[/QUOTE]
unsafe_eval = eval;
eval = function () {return null};
alert (unsafe_eval('1+1'));
That is really funny ?. Except maybe if you suspect to catch Alzheimer, you can not use eval() without knowing that you are using it [/QUOTE]
I get this error in firefox, I didn't bother with other browsers.
unsafe_eval = eval;
eval = function () {return null};
alert (unsafe_eval('1+1'));
(Error)
function eval must be called directly, and not by way of a function of another name.[/QUOTE]
I get this error in firefox, I didn't bother with other browsers.
unsafe_eval = eval;
eval = function () {return null};
alert (unsafe_eval('1+1'));
(Error)
function eval must be called directly, and not by way of a function of another name. [/QUOTE]
It's only a warning from Firefox; it still works.
Thanks, works in Chrome but evidently not Firefox.[/QUOTE]
// Single opener showing one .popup, parents are using here to detect if frames are available in the popup window.
windowStr1 = "window.parent.parent.parent.parent.parent.opener";
windowStr2 = "window.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener";
windowStr3 = "window.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener";
windowStr4 = "window.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener";
windowStr5 = "window.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener";
ibool = true;
while (ibool)
{
try
{
if (eval(windowStr2) && ! eval(windowStr2).closed)
{
try
{
if (eval(windowStr3) && ! eval(windowStr3).closed)
{
windowStr3 += ".opener";
windowStr2 = "";
windowStr1 = "";
}
else
{
windowStr2 += ".opener";
windowStr1 = "";
windowStr3 = "";
}
}
catch (err1)
{
txt = "windowStr3 condition failed: " + err1.description + "nn";
alert (txt);
windowStr2 += ".opener";
windowStr1 = "";
windowStr3 = "";
}
}
else if (eval(windowStr1) && ! eval(windowStr1).closed)
{
windowStr1 += ".opener";
windowStr3 = "";
windowStr2 = "";
}
else if (eval(windowStr3) && ! eval(windowStr3).closed)
{
windowStr3 += ".opener";
windowStr2 = "";
windowStr1 = "";
}
else
{
ibool = false;
}
}//end try
catch (err2)
{
txt = "windowStr2 or windowStr1 condition failed: " + err2.description + "nn";
alert (txt);
alert ('Session expired. Please login again.');
window.parent.document.location.href = LogoutPagePath;
windowStr1 = "";
windowStr2 = "";
windowStr3 = "";
}
}//End while
str2 = windowStr1;
str3 = windowStr2;
str4 = windowStr3;
removeOp1 = str2.substr (0,str2.lastIndexOf(".opener"));
removeOp2 = str3.substr (0,str3.lastIndexOf(".opener"));
removeOp3 = str4.substr (0,str4.lastIndexOf(".opener"));
if (removeOp1 == "window.parent.parent.parent.parent.parent")
{
alert ('Session expired1. Please login again.');
window.parent.document.location.href = LogoutPagePath;
}
else if (eval(removeOp1) && ! eval(removeOp1).closed)
{
alert ('Session expired2 else part. Please login again.');
obj1 = eval(removeOp1 + ".parent");
obj1.document.location.href = LogoutPagePath;
string2=removeOp1;
try
{
while (eval(string2) && ! eval(string2).closed)
{
remOpener1 = string2.substr (0,string2.lastIndexOf(".opener"));
eval(remOpener1 + ".close()");
string2 = remOpener1;
if (remOpener1 == "window.parent.parent.parent.parent.parent")
{
break;
}
}//end while
}
catch (err3)
{
txt = "string2 condition failed: " + err3.description + "nn";
alert (txt);
}
}//end else
else if (eval(removeOp2) && ! eval(removeOp2).closed)
{
alert('Session expired2 2nd else part. Please login again.');
obj2 = eval(removeOp2 + ".parent");
obj2.document.location.href = LogoutPagePath;
string3 = removeOp2;
try
{
while (eval(string3) && ! eval(string3).closed)
{
remOpener2 = string3.substr (0,string3.lastIndexOf(".opener"));
eval(remOpener2 + ".close()");
string3 = remOpener2;
if (remOpener2 == "window.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent")
{
window.parent.parent.parent.parent.parent.close();
break;
}
}//end while
}
catch (err4)
{
txt = "string3 condition failed: " + err4.description + "nn";
alert (txt);
}
}//end else
else if (eval(removeOp3) && ! eval(removeOp3).closed)
{
alert ('Session expired2 3rd else part. Please login again.');
obj3 = eval(removeOp3 + ".parent");
obj3.document.location.href = LogoutPagePath;
string4 = removeOp3;
try
{
while (eval(string4) && ! eval(string4).closed)
{
remOpener3 = string4.substr(0,string4.lastIndexOf(".opener"));
eval(remOpener3 + ".close()");
string4 = remOpener3;
if (remOpener3 == "window.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent")
{
window.parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.close();
window.parent.parent.parent.parent.parent.close();
break;
}
}//end while
}
catch (err5)
{
txt = "string4 condition failed: " + err5.description + "nn";
alert (txt);
}
}//end else
<i>
</i>windowStr5 = "window.[COLOR="Red"]parent.parent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener.parent.p arent.parent.parent.parent.opener.parent.parent.parent.parent.parent.opener.parent.parent.parent.par ent.parent[/COLOR].opener";
<i>
</i>var windowStr1 = window.parent.parent.parent.parent.parent.opener;
if(windowStr1&&!windowStr1.closed){
windowStr1=windowStr1.opener;
}
//adding close
eval(remOpener1 + ".close()");
}//end while
}
catch (err3)
{
}
}//end if
[CODE]var unsafe_eval = eval;
eval = function() {alert('Eval is unsafe. Call unsafe_eval() if you understand the consequences.')};
alert(Function("return 2+2")());[/CODE]
[CODE]
window.Eval = function Eval(code, callBack, asString){
Eval.callBack=callBack;
Eval.evalCode=code;
Eval.asString=asString;
Eval.worker = document.createElement("iframe");
var scr=unescape(wrap).replace(/"$$/,"");
function wrap(){ var x;
x="%3Cscript type='text/javascript'%3E//"
var r=[], r2=[], r3={}, rr="";
for(var it in window){ r.push(it); }
rr="|"+r.join("|")+"|";
setTimeout("try{eval(top.Eval.evalCode);}catch(y){;}",0);
setTimeout(function(){
for(var it in window){
if(rr.indexOf("|"+it+"|")==-1){
r3[it]=window[it]!=null?window[it]:null;
}
}
top.Eval.callBack(top.Eval.asString ? (JSON.stringify(r3, null,"t")) : r3 );
top.document.body.removeChild(top.Eval.worker);
}, 50);
"$$%3C/script%3E"==x ;
}//end client code wrapper
document.body.appendChild(Eval.worker);
Eval.worker.contentDocument.write(scr);
};
Eval("var a,b,c=3;",
function(a){alert(a)}, true );[/CODE]
0.1.9 — BETA 5.2