What are the ways to apply Eval in Javascript

Asked

Viewed 1,400 times

17

There is more than one way to make one eval() in javascript, problem is that it can be a danger for the user if misused.

Internally some other methods also do Val, for example the setTimeout() which if placed in the argument of callback a string it will apply an Eval.

What are the ways to apply Eval in Javascript?

Complementary to the subject, I found this question aimed at implications of the use of Eval.

  • Can refrasear / explain better "What are the ways to apply Eval in Javascript?". Refers to how javascript works internally, whether there are other methods that use Eval internally, or what practices to take into account?

  • 1

    @Sergio refers to the ways to apply the Val focused on who is creating a code, where it can execute an Val, so I’m trying to refer to the methods that perform in their code evaluation arguments. But the other two questions are interesting too, how it works internally and what practices should be taken into account, I will see if no one has asked them before and if not, I will put them separately, because the questions are quite different.

3 answers

21


I’ll show you eight different types that transform strings into a code that can be executed immediately. In this case, I am using only pure javascript, but libraries like jQuery have methods that implicitly can be exploited as Eval.

val()

The very one val

eval("alert('lorem ipsum')");

setTimeout()

setTimeout is the best known example of using eval if you pass a string.

// Ambos são equivalentes
setTimeout("alert('lorem ipsum')", 100);
setTimeout(function(){ eval("alert('lorem ipsum')"); }, 100);

setInterval()

setInterval is similar to setTimeout, but performs at each time period and not only at the end of the chosen time.

// Ambos são equivalentes
setInterval("alert('lorem ipsum')", 100);
setInterval(function(){ eval("alert('lorem ipsum')"); }, 100);

new function()

Function implicitly can be considered a form of Eval because it strings accepted

var adder = new Function("a", "b", "return a + b");
alert(adder(3,5));

Document.write()

Document.write, if used to write tags <script>, also works as eval

document.write('<script>alert("lorem ipsum")</script>')

Document.writeln()

Document.writeln is very similar to Document.write, but adds a new line to the end.

document.writeln('<script>alert("lorem ipsum")</script>')

Data URI

Data Uris are the most atypical example, but are eventually used to exploit faults in browsers.

var s = document.createElement('script');
s.src = 'data:text/javascript,' + encodeURIComponent('alert("lorem ipsum")')
document.body.appendChild(s);

Reference: own knowledge, MDN links and http://kubyshkin.ru/posts/studying-javascript-eval.html

GIFT

Similar to the data Uris approach, but inserting the code directly instead of resorting to the attribute src:

var s = document.createElement('script');
s.appendChild(document.createTextNode('alert("lorem ipsum");'));
document.body.appendChild(s);

javascript:

Also similar to the date Uris, but inserting the code into the location page:

location.replace('javascript:alert("lorem ipsum");void(0)');
  • I’ve added links to the Mozilla Developer Network (MDN) for anyone who wants to dig deep about it

  • 1

    +1 I complemented the answer with setInterval, as I saw it in the links to @Emerson

  • 2

    +1 good answer!

  • 2

    Good list! I only draw attention to an important difference between the eval same and other options: the code passed to eval wheel in the scope where the eval is being called, with access to everything available in that scope; all other options run in the global scope.

  • 1

    also has the question of the strict mode that changes access to the scope and tals...

  • 1

    If Document.write and data URI are valid, then surely using DOM to create a <script> tag with JS content is also? innerHTML works in this case?

  • Guys, I converted the response to the community Wiki. Feel free to edit and add information here. I think this will be better for everyone. Just please before making a significant change, justify the change.

Show 2 more comments

5

In fact setTimeout and setInterval can use a method similar to eval() if they do not receive a function (anonymous or referenced) as the first parameter.

The desired, good practice, would be:

// declarar a função antes
function foo(){
   alert('foo');
}
setTimeout(foo,1000);

// usar uma função anónima
setTimeout(function(){
    foo();
},1000);

In case a string is passed for these methods, for example:

setTimeout('alert(foobar)' ,1000);

this can have implications serious security, but also scope problems. This string will be evaluated in the general scope, and if in this case the variable foobar is in the same scope as seTimeout but not in the general scope, it will not be found.

--

Another way is insert new script on the page in string form. So using:

var s = document.createElement('script');
s.type = 'text/javascript';
s.text = 'alert("Olá mundo!");';
$(document.body).append(s);
  • +1 because in addition it also included security implications which is complementary to the question, thank you.

3

Two other ways to retrieve Javascript code from a string are the Function constructor

var f = new Function('alert("oi")');
f();

and create a tag <script>, as suggested here:

var scrEl = document.createElement('script');
scrEl.innerHTML = "window.alert(1);"
document.body.appendChild(scrEl);

Browser other questions tagged

You are not signed in. Login or sign up in order to post.