2

In my UI, users are able to build some javascript objects like:

var box = {
    "width": "100px",
    "height": "200px",
    "click": function () {
        alert("You clicked the box");
    }
};

This is a valid javascript object. Now, i want a way to validate this in php. I can use json_encode/json_decode but it will not work do the the "function() ..." thing. Do you have any suggestion?

Improve this question
7
  • 1
    What kind of validation do you want to achieve? You might pull the whole through a JavaScript eval maybe as a first estimate of syntactical correctness. Commented Sep 2, 2013 at 12:45
  • @mvw Syntax validation i guess, i want to make sure when that object is used insinde JavaScript it will not result in an error. Yeah i can use eval and catch the exception, but i need a php validation method, the validation must be inside php. Commented Sep 2, 2013 at 12:49
  • maybe take a look at stackoverflow.com/questions/6473473/… Commented Sep 2, 2013 at 12:50
  • 1
    php function json_decode is used to handle data in JSON representation, and your javascript object box is not. Either exclude attribute click, or parsing the javascript code with UglifyJS.php which I got from this question Commented Sep 2, 2013 at 12:52
  • 1
    This is going to be extremely hard, as it'd have to be a full-blown JavaScript validator. Commented Sep 2, 2013 at 12:55

3 Answers 3

Reset to default
4

For a quick, dirty, and unsafe solution, you could have installed on the server, and call PHP's exec() to validate the code.

From the documentation, exec is defined as:

string exec ( string $command [, array &$output [, int &$return_var ]] )

and with node, we can evaluate a JavaScript string by using the -e flag. Example using the command line:

> node -e 'invalid javascript'
SyntaxError: Unexpected identifier
> $?
-bash: 8: command not found   # <-- return status!

Tying it together with PHP's exec, you could have something like this:

<? php
$userJavaScript = getUserJavaScriptSomehow();
exec("node -e '" + $userJavaScript + "'", $output, $return_var);
if ($return_var !== 0) {
    // something went wrong with parsing it.
}
?>

Note that this is a horrible solution. You're better off validating the JavaScript on the client side and forget doing validation on the server side all together considering the user can execute any arbitrary code. You would have to safeguard against file access, infinite loops, etc.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

I suppose you try to validate an object built from user input. Since writing a complete JavaScript parser in PHP would be difficult, I suggest the following approach: After all data was entered, request the JavaScript object from the PHP script via Ajax. Then you can do an eval on the client side to see if there are any errors.

A more general advice: Don't mix executable code and data! Just exchange easily validatable JSON objects between client and server and write some static JavaScript code that processes the JSON objects. This will also protect you better against code injections from user input.

Improve this answer

1 Comment

Thanks, i will accept this as best answer for my problem. The other ones are good to, but executing on server side an user input data its not a good idea. Thanks again
2

PHP could only validate the JSON part of the code. If you want a server side technology use nodejs for that. Simple run the code via node code.js and see if there are any errors. So, I guess that you should get the code, save it to a file and run node against it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.