Hacker Read

porsager · 2020-04-04 21:06:09+00:00

Hehe, you’re probably right about that, but you could script the live part with the api, and then get the eval part to update as you mentioned, and allow the user to play around at the same time. I'm sorry you didn't find it related.

mistercow | karma 10714 | avg karma 3.06 · | 2012-08-10 11:21:54

Yes of course. And even if they couldn't, it would be trivial to fork an existing JS implementation and make eval spit out its input.

lukev | karma 6893 | avg karma 6.32 · | 2011-07-29 17:33:54+00:00

And I have no doubt that's how it would be done, except that it turns out eval isn't actually necessary for a browser interactive REPL, which is pretty much all that developers need.

cestith | karma 2277 | avg karma 1.73 · | 2022-08-10 08:44:11

Are you taking JSON API submissions and just running them through eval()? If so, where's your API?

3JPLW | karma 3234 | avg karma 4.98 · | 2019-11-01 15:35:49

I don't think that has anything to do with `eval`. It's just hard to do with a dynamic language.

And that's not to say it shouldn't be attempted!

reply

mkdirp | karma 1232 | avg karma 7.33 · | 2022-01-09 19:16:45

Heh. I overlooked that. I've updated my comment. It's still possible without eval, but with caveats.

ape4 | karma 4305 | avg karma 1.73 · | 2014-10-09 15:50:31+00:00

But nobody does eval(json) anymore. Not safe. We use a special function. So could have a special function for this.

saagarjha | karma 56017 | avg karma 2.29 · | 2022-12-13 17:12:39

eval exists :)

k3oni | karma 515 | avg karma 2.86 · | 2014-02-12 18:01:52

Good point there, i'll look into limiting the eval().

I would hope that people won't give access to everyone to the dashboard, wasn't really build for that, or at least that wasn't my initial idea.

reply

ynniv | karma 5590 | avg karma 3.51 · | 2018-03-12 15:19:19

Possible, but unlikely. eval is particularly difficult to use correctly, and can almost always be replaced with something better.

0x0 | karma 17884 | avg karma 5.06 · | 2015-06-16 00:10:39+00:00

Straight-up eval() would be the most blatant case of a remote code execution vulnerability the web has ever seen. I don't think it's easy or even possible to build a foolproof sandbox out of eval(). And even then you open yourself to a denial of service since you cannot interrupt the eval().

waffletower | karma 578 | avg karma 1.69 · | 2023-06-29 10:08:46

No, 'eval' is available in many dynamic languages and needs to be utilized with care

fragsworth | karma 5411 | avg karma 4.33 · | 2012-04-10 06:39:02+00:00

What is the problem with eval? Even Python lets you do that. There are legitimate uses for it.

gnode | karma 2428 | avg karma 2.09 · | 2016-09-29 13:10:07+00:00

Not exactly sure why you got downvoted. Perhaps people should actually say why they think eval is a bad idea.

My guess is it's something to do with cross site scripting. I can see advantages to using XMLHttpRequest in conjuction with eval in some cases, such as being able to monitor script download progress with the onprogress event.

reply

CJefferson | karma 14328 | avg karma 4.42 · | 2021-01-21 07:42:04

That doesn't work (easily) in a function as eval only has the global context, not access to local variables (although you can do some hackery to make it work)

xxpor | karma 8959 | avg karma 2.97 · | 2021-11-05 11:13:35

But if you only evoke eval() on non-hacker controlled data in a scripting language, it's probably fine too.

lopatin | karma 2493 | avg karma 4.13 · | 2015-06-21 21:11:03+00:00

This is pretty cool. Maybe can be useful as a safe alternative to eval()?

jpochtar | karma 582 | avg karma 3.88 · | 2018-07-12 17:19:43

Removing eval wouldn't help— you could always just write a tiny interpreter to do the same thing. This is a problem in any Turing complete programming language (with Reflection), although JS makes it easier.

ikari_pl | karma 380 | avg karma 2.15 · | 2023-11-06 02:13:40

um, sir... please show us the implementation of eval.

thom_nic | karma 639 | avg karma 3.74 · | 2016-10-25 02:23:40+00:00

Allowing user-defined rules comes to mind. AFAIK `eval()`-ing user input is can't be done in a safe way. Probably OK on browser but not on the server.