2

I am developing an Enyo web application and would like to allow users to write their Javascript code in the browser and execute it.

I can do this by using window.eval. However, I have read about the evils of eval.

Is there anyone that could shed some light on how examples like http://learn.knockoutjs.com/, http://jsfiddle.net, etc do in browser execution safely and what the best practices are?

Improve this question
7
  • 3
    jsbin.com is open source, and hosted on github. Makes it very easy to study its code. Commented Apr 18, 2012 at 16:13
  • 1
    Just have the code executed on a different domain and you're pretty much done. Commented Apr 18, 2012 at 16:28
  • What have you read about the evils of eval? Commented Apr 18, 2012 at 21:48
  • @Pumbaa80 , heres one example - blogs.msdn.com/b/ericlippert/archive/2003/11/01/53329.aspx Commented Apr 19, 2012 at 15:45
  • @JonathanSampson thanks, that is a lot of help. Commented Apr 19, 2012 at 15:50

1 Answer 1

Reset to default
2

Eval is considered evil for all but one specific case, which is your case of generating programs during runtime (or metaprogramming). The only alternative would be to write your parser/interpreter (which can be done relatively easily in javascript, but rather for a simpler language than javascript itself - I did it and it was fun). Thus using eval() function here is legitimate (for making a browser-side compiler to a reasonably fast code, you need to use eval for generated compiled javascript anyway).

However, problem with eval is security, because evaluated code has the same privileges and access to its environment as your script that runs it. This is a topic quite hot recently and EcmaScript 5 was designed to partially address this issue by introducing strict mode, because the strict-mode code can be statically analyzed for dangerous operations.

This is usually not enough (or problematic for backward compatibility reasons), so there are approaches like Caja that solves security by analyzing the code on a server and allows only strict safe subset of javascript be used.

Another often used approach is protect the user, but not protecting from malicious attacks using running the user generated javascript in an <iframe> element embedded in the parent page (usually used by sites like jsfiddle). But it is not secure for the iframe can access its parent page and get to its content.

Even in this iframe approach there has been some progress recently e.g. in chrome to make it less vulnerable by using sandbox attribute

<iframe src="sandboxedpage.html" sandbox="allow-scripts"></iframe>

where you can even specify different privileges.

Hopefully, we will have an easy way to use safe and easy metaprogramming soon, but we are not there yet.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Great answer - I've been looking into the sandboxed iframes and use strict mode. Thanks for posting an answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.