On Sat, Aug 20, 2011 at 1:22 PM, Nick Morgan <skilldr...@gmail.com> wrote:
> On 20 August 2011 20:10, Peter van der Zee <jsment...@qfox.nl> wrote: > > > Personally I'd never use a construct like this. Just expose private > > variables as you go. Using eval is dangerous, especially because I > > don't quite see the point of the regex. I mean, what is clean() trying > > to do? `alert('foo');` is going to go through... > > I agree with Peter, I'd expose only things I really want to. Personally, I always try to avoid `eval`, IMHO avoiding `eval` is not just about the risks of code evaluation, `eval` inhibits a lot of optimizations, for example, in your code, the variables `private` and `private2` are not statically referenced by anything, if you don't use `eval`, an implementation may optimize the function, to avoid storing the non-used values (it might not even create the variables if not referenced -no one will notice-). Using `eval` forces the implementation to keep access to all identifiers in the scope chain of the function, whether they are statically referenced or not. The Arguments object creation is another example where you can notice that `eval` impacts on function optimization, in most implementations the arguments object is not automatically created if you don't explicitly reference it on the function body. Using `eval` inside a function, forces its creation. Related: - SpiderMonkey Function Internals: https://developer.mozilla.org/En/SpiderMonkey/Internals/Functions - Some perf-tests on the Arguments object creation: http://jsperf.com/arguments-0-vs-a > I think you may have misread the regex - it checks for anything that's > not \w - i.e. any non-identifier character (I should've used \W rather > than [^\w] in retrospect). So it wouldn't allow alert('foo') through > (I've included an example of an alert not making it through). > > Yeah, your RegExp will catch that case, but your `clean` function still has some vulnerabilities, for example, if you pass a *tampered *object to your `send` method: obj.send({ match:function () {}, replace: function() { return 'alert("I am teh hax0rz "+private)'; } }); It will pass your validation and it will evaluate the code, granting access to all the identifiers in the scope of your `send` function... I would force string conversion before validating. Anyway, I also agree with you, it could be useful for testing. Cheers, -- Christian C. Salvadó @cmsalvado <http://twitter.com/cmsalvado> -- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/jsmentors@jsmentors.com/ To search via a non-Google archive, visit here: http://www.mail-archive.com/jsmentors@googlegroups.com/ To unsubscribe from this group, send email to jsmentors+unsubscr...@googlegroups.com