On Sat, Aug 20, 2011 at 1:22 PM, Nick Morgan <skilldr...@gmail.com> wrote:
> On 20 August 2011 20:10, Peter van der Zee <jsment...@qfox.nl> wrote:
>
> > Personally I'd never use a construct like this. Just expose private
> > variables as you go. Using eval is dangerous, especially because I
> > don't quite see the point of the regex. I mean, what is clean() trying
> > to do? `alert('foo');` is going to go through...
>
>
I agree with Peter, I'd expose only things I really want to. Personally, I
always try to avoid `eval`, IMHO avoiding `eval` is not just about the risks
of code evaluation, `eval` inhibits a lot of optimizations, for example, in
your code, the variables `private` and `private2` are not statically
referenced by anything, if you don't use `eval`, an implementation may
optimize the function, to avoid storing the non-used values (it might not
even create the variables if not referenced -no one will notice-). Using
`eval` forces the implementation to keep access to all identifiers in the
scope chain of the function, whether they are statically referenced or not.
The Arguments object creation is another example where you can notice that
`eval` impacts on function optimization, in most implementations the
arguments object is not automatically created if you don't explicitly
reference it on the function body. Using `eval` inside a function, forces
its creation.
Related:
- SpiderMonkey Function Internals:
https://developer.mozilla.org/En/SpiderMonkey/Internals/Functions
- Some perf-tests on the Arguments object creation:
http://jsperf.com/arguments-0-vs-a
> I think you may have misread the regex - it checks for anything that's
> not \w - i.e. any non-identifier character (I should've used \W rather
> than [^\w] in retrospect). So it wouldn't allow alert('foo') through
> (I've included an example of an alert not making it through).
>
>
Yeah, your RegExp will catch that case, but your `clean` function still has
some vulnerabilities, for example, if you pass a *tampered *object to your
`send` method:
obj.send({
match:function () {},
replace: function() { return 'alert("I am teh hax0rz "+private)'; }
});
It will pass your validation and it will evaluate the code, granting access
to all the identifiers in the scope of your `send` function... I would force
string conversion before validating.
Anyway, I also agree with you, it could be useful for testing.
Cheers,
--
Christian C. Salvadó
@cmsalvado <http://twitter.com/cmsalvado>
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/jsmentors@jsmentors.com/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/jsmentors@googlegroups.com/
To unsubscribe from this group, send email to
jsmentors+unsubscr...@googlegroups.com
