6

I have been reviewing the threads that I can find on the security implications of using eval() on the client-side of a javascript webpage.

I am implementing a site which should allow the user to run their own code (written on the page) and see some visual results on another div on the same page.

Essentially, I want the user to be able to write valid JavaScript code, and have it manipulate a canvas on the same page.

There is no need for server-side evaluation of the code.

I have had a look at both Jailed and Caja, but I think they may be adding additional complexity that are not required.

I understand that the right way of doing this type of thing is in a "sandbox" that has no access to the rest of my codebase, however, my needs are such that I cannot actually define a simple API to provide safe entry/exit points...I want the user to be able to use any JavaScript code and I dont want to have to write an interpreter which will provide the API.

Given there is no server-side evaluation required, and there should only ever be a single user executing their own code in the web session, is it safe to use eval()?

Improve this question
2
  • 5
    Unless that code is shared with other users which may lead to cookie stealing or some other bad behaviour I think it can be safe or at least it can hurt only that user session Commented Jan 5, 2016 at 23:36
  • 1
    your eval approach is about as secure as jsfiddle.net , you will have problems catching thrown Errors (js's version of Exceptions) the same way in a cross-browser fashion and display the line that caused the error, though. not for security, but for the catching Errors problem, you might want to consider creating script tags or iframes and execute code in that, though... which isn't what you're asking about :p Commented Jan 5, 2016 at 23:41

1 Answer 1

Reset to default
6

If you have no path in your logic that allows one person to publish code to be used by others then you can use eval() as it is.

Your situation is not anyhow different from any user that has browser and dev tools in it where he/she can run any code they want.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.