0

I have a javascript code created server side and passed to the client as a string by a rest request. I am trying to execute the code retrieved. Any help would be appreciated.

Server side. The javascript code stored in a string. 

(function() {

function createChart(selector) {
    $(selector).highcharts({
        chart: {
            type: 'column',
        },
        xAxis: {
            crosshair: true,
            type: "category"
        },
        yAxis: {
            min: 0,
            title: {
                text: null
            }
        },
        series: [{

            data: datas    
        }],
    });
}

function render() {
    createChart('#chart');
}
return {
    render: render
}
}())

Client side (angular js)

    .controller('ChartController', ['$scope', 'charts',function ($scope, charts) {

        var test = charts.data;//contains the javascript code send by a rest request
        eval(test); 
        test.render(); 

}])

The execution of the script in the client side returns "test.render is not a function" in chrome

Any advices ?

Thank you very much

Improve this question
4
  • 1
    append a script tag to the page with the src being the serverside page Commented Aug 10, 2015 at 16:54
  • @epascarello . I think it's a good way to do. so i need to store the string into a real javascript file server side then link it to the script tag client side right ? Thanks Commented Aug 10, 2015 at 17:20
  • No you just return the script, no need to create an actual file. That is how JSONP works. Commented Aug 10, 2015 at 17:21
  • @epascarello . I don t understand how it works because script tag point on a resource file . can you provide me some examples links please ? thanks Commented Aug 10, 2015 at 17:34

3 Answers 3

Reset to default
2

You can use eval to execute an arbitrary chunk of Javascript code but you should really, really avoid this when possible.

eval is a huge security problem since presumably you're getting that string from an outside source and who knows what they might try to run. See this question for more information on why eval is evil.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Exactly right. using eval() opens the server up to malicious attack, as any externally supplied string has the power to (as an example) access the filesystem, gain control over your server processes etc.
@Mike C. Oh yeah you are right thank you, i made some researches about eval and it seems very dangerous... So what are the others safety option to eval a javascript string ? Thanks
@user902509 That's it. If you're going to evaluate a string, it's not safe. I'd suggest loading in your script another way.
@Mike C. But eval is only dangerous if we can access the code by a browser right ? Because in my case it's about a mobile application . Thanks
@user902509 It's dangerous no matter where you use it. Never trust user data. That's a golden rule of programming.
|
1

Use:

var result = eval(test); 
result.render();

Because your test is a string. The result of eval(test) is a function.

It is always not recommended to use eval. But if you really need it, use angular $eval instead:

If you want to eval() an Angular expression yourself, use the $eval() method.

Improve this answer

1 Comment

Thanks it works but i guess it will be temporary until i find another solution because it's too dangerous but I needed it to work for my local tests. Thank you very much
0

you should use the eval function like this :

var functionToEval = "functionName";
console.log(eval(functionToEval));

For more information on the eval function you can go see this page: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.