Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login

Hehe, you’re probably right about that, but you could script the live part with the api, and then get the eval part to update as you mentioned, and allow the user to play around at the same time. I'm sorry you didn't find it related.


sort by: page size:

Yes of course. And even if they couldn't, it would be trivial to fork an existing JS implementation and make eval spit out its input.

And I have no doubt that's how it would be done, except that it turns out eval isn't actually necessary for a browser interactive REPL, which is pretty much all that developers need.

Are you taking JSON API submissions and just running them through eval()? If so, where's your API?

I don't think that has anything to do with `eval`. It's just hard to do with a dynamic language.

And that's not to say it shouldn't be attempted!


Heh. I overlooked that. I've updated my comment. It's still possible without eval, but with caveats.

But nobody does eval(json) anymore. Not safe. We use a special function. So could have a special function for this.

eval exists :)

Good point there, i'll look into limiting the eval().

I would hope that people won't give access to everyone to the dashboard, wasn't really build for that, or at least that wasn't my initial idea.


Possible, but unlikely. eval is particularly difficult to use correctly, and can almost always be replaced with something better.

Straight-up eval() would be the most blatant case of a remote code execution vulnerability the web has ever seen. I don't think it's easy or even possible to build a foolproof sandbox out of eval(). And even then you open yourself to a denial of service since you cannot interrupt the eval().

No, 'eval' is available in many dynamic languages and needs to be utilized with care

What is the problem with eval? Even Python lets you do that. There are legitimate uses for it.

Not exactly sure why you got downvoted. Perhaps people should actually say why they think eval is a bad idea.

My guess is it's something to do with cross site scripting. I can see advantages to using XMLHttpRequest in conjuction with eval in some cases, such as being able to monitor script download progress with the onprogress event.


That doesn't work (easily) in a function as eval only has the global context, not access to local variables (although you can do some hackery to make it work)

But if you only evoke eval() on non-hacker controlled data in a scripting language, it's probably fine too.

This is pretty cool. Maybe can be useful as a safe alternative to eval()?

Removing eval wouldn't help— you could always just write a tiny interpreter to do the same thing. This is a problem in any Turing complete programming language (with Reflection), although JS makes it easier.

um, sir... please show us the implementation of eval.

Allowing user-defined rules comes to mind. AFAIK `eval()`-ing user input is can't be done in a safe way. Probably OK on browser but not on the server.
next

Legal | privacy