Menu
Hi,
I’d like to create a textarea and a division so that whatever embed code you put in the textarea it gets executed on the division in real-time.
Your kind help is greatly appreciated!
JavaScript newbie
[I]division[/I]? What do you min my "division"?[/QUOTE]
HTML? JavaScript? CSS?[/QUOTE]
In that case you need two documents, one which holds the textarea, the other one should be loaded in an iframe within the first document. You need to submit data from the first document to the second where a server-side language code (in PHP, ASP, Java, Pearl, whichever) will generate the submitted content of the textarea.[/QUOTE]
I'm confused. When did server-side language get involved? At first it just sounded to me like to want to allow the user to insert some JavaScript in a textbox and use be able to "print" results to <some node> on your page. Is that not the case?[/QUOTE]
Yes. same as:
http://www.w3schools.com/js/tryit.asp?filename=tryjs_variables
They did as I said: 2 documents on in the iframe of another, and they use ASP to generate something on the iframed document, based on the submitted values .[/QUOTE]
[code=html]<textarea id='script_input'>// put your code here</textarea>
<input type='button' value='Execute!' onclick='execute_user_script();' />
<div id='output'>Return value will show up here</div>
<script type='text/javascript'>
function execute_user_script() {
document.getElementById('output').innerHTML = eval(document.getElementById('script_input').value);
} // execute_user_script()
</script>[/code]
Just use eval() or some equivalent. A simplified example...[/QUOTE]
[code=html]var x = 1;
var y = 2;
x + y;[/code]
[CODE]<script type="text/javascript">
var X = " HTML or JavaScript "
window.onload=function()
{
document.getElementById("result").innerHTML = document.getElementById("input").value;
}
</script>
<textarea id="input" cols="35" rows="7"> X </textarea>
<div id="result"></div>[/CODE]
I would advise against doing it that way. It's one thing to allow your visitors to run arbitrary JavaScript against your site (which they can do anyway)
[/quote]
eval() can be [I]evil[/I] sometimes. If you don't know when and how to handle it, it could bring you harm. This can be the gate for a malicious JavaScript injection intrusion. ?[/QUOTE]
The naked truth is exactly the opposite. But for that you should learn a little bit how to use a server-side language.
eval() can be [I]evil[/I] sometimes. If you don't know when and how to handle it, it could bring you harm. This can be the gate for a malicious JavaScript injection intrusion. ?[/QUOTE]
It's becoming unclear what you really want to do. So, all I can say is, look at my examples again and try to understand the concepts. If you understand what the code is doing, your particularly solution will present itself.[/QUOTE]
[CODE]<script type="text/javascript">
var X = " code either HTML or JavaScript "
window.onload=function()
{
document.getElementById("result").innerHTML = document.getElementById("input").value;
}
</script>
<textarea id="input" cols="35" rows="7"> X </textarea>
<div id="result"></div>[/CODE]
Let me reiterate: [I][B]Anyone[/B][/I] can run arbitrary JavaScript against your site [I]at any time[/I] [B]with or without eval()s[/B] by leveraging bookmarklets, [/quote]
the JavaScript console (such as the one in Chrome), [I]the address bar[/I], etc. So long as you ensure that your eval()'s are not eval()ing code written by user A in user B's session, you're not reducing site security in the slightest. You may compromise the integrity of the site if you're an idiot about it, or your site may be inherently insecure, but it's never a result of the [I]mere presence[/I] of eval().
[/quote]
This topic has nothing to do with server side language, nor does it need to. Introducing a server-side component here is of no advantage; it would serve only to add latency. In fact, it is ONLY when you introduce a server-side component that you open up the possibility for user A to inject JavaScript into user B's session. And so, in [I]avoiding[/I] server-side interaction, you ensure security.
[/quote]
No.
When you use [I]your[/I] console to inject something, you might, eventually, do harm to [I]yourself[/I]. :rolleyes: You must have forgotten that JavaScript is a client-side language.
Nonsense. There is no Data Base to be injected. It is just a query to a file which does not handle a DB. And JavaScript can not inject a server-side session. Forget it.[/QUOTE]
Thanks for coming back to me and sorry about confusion I caused! Please ignore my first post, be patient with me, and let me put my question again:
As you can see in my last code when the page loads (window.onload) the viewer should see a textarea with a default value inside -- which is a code -- and under that a division that displays the result/executed form of that code:
[CODE]<script type="text/javascript">
var X = " code either HTML or JavaScript "
window.onload=function()
{
document.getElementById("result").innerHTML = document.getElementById("input").value;
}
</script>
<textarea id="input" cols="35" rows="7"> X </textarea>
<div id="result"></div>[/CODE]
Now the question is how I can set the whole code (var X) as a variable? I'd like to use eval for that purpose, but I don't know how to do it. I tried my best to make it clear, but please let me know if I need to explain more.[/QUOTE]
[code=html]<script type="text/javascript">
var X = " code either HTML or JavaScript "
function setX() {
X = document.getElementById('input').value;
}
function evalX() {
document.getElementById('result').innerHTML = eval(X);
}
</script>
<textarea id="input" cols="35" rows="7"> X </textarea>
<input type='button' onclick='setX();' value='Set X' />
<input type='button' onclick='evalX();' value='Eval X' />
<div id="result"></div>[/code]
Are you serious?
... Is he serious?[/QUOTE]
It's hard to believe, but yes, I think he's serious.[/QUOTE]
[B]svidgen[/B], there are well known methods to inject, and there are also well known methods to prevent the injection. It is like the perpetual duel between the shell and the armour. But it is not the case for this problem.[/QUOTE]
[B]svidgen[/B], do you think that handling an expression via [B]eval()[/B] is better than submit it and executed it on another page, via a server-side language? It is the same thing, if it is raw. Except that on the server side you have some tools to validate and process the data, while the JavaScript eval() will turn out everything in a single breath.[/QUOTE]
0.1.9 — BETA 5.18