0

From a page containing (or referring to) my JavaScript I do an AJAX XHR request to an external Web site.

The external Web site return on our GET request a JavaScript file like this:

var __xxx = {
    // ....
};

How do I get the value of the variable __xxx in my JavaScript?

Currently, the only way I invented is to remove var __xxx using a regular expression and parse the remaining using a JSON parser. Is there a better way?

The external Web site may be considered as trusted if necessary, but I would prefer not to trust the data from it (using some safe parser like JSON).

Improve this question
3
  • You could create a <script> tag on you page and insert the JS code into it Commented Aug 14, 2018 at 18:52
  • @SebastianSpeitel I need to retrieve this value not once on page loading, but (probably several times) on keyboard events. Should I remove a <script> and re-create it for every event? Commented Aug 14, 2018 at 18:53
  • not much you can do if that is the format could eval it or new Function, but than that is security risks. Commented Aug 14, 2018 at 18:54

2 Answers 2

Reset to default
1

Create a new function utilizing strings and the Function constructor. Add 'return _xxx;' and assign the result to a new variable that is accessible in your current script. 

var returned_data = new Function(data + " return _xxx;")()

This is preferable to eval because the execution of the function will not allow access to local variables outside of the function scope.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

And this will execute any other random code so it is not really the best solution.
@epascarello as opposed to what? This is a bit of a ridiculous scenario. It's never going to be good when you're working with external scripts that you can't touch and aren't sure you trust. In that vein this is probably the safest way, though obviously It's still not advisable.
Like the OP said.... strip off the leading variable declaration and run it through the JSON.parse which is more secure.
@epascarello That requires, still, that you know explicitly what's in the returned script or it won't run, and if that's the case, then this solution is just as pragmatic.
But if someone slips in window.open(), alert, window.location.href, etc into the code, it will not run it if you match the pattern.... If you trust it, sure go ahead, but if there is any way the data could change on you, is it worth the risk?
|
1

I believe your best options are to either do what you are currently doing (parse the string Javascript and JSON.parse it) or to use the eval method on the incoming Javascript string.

I would personally recommend parsing the string, but it depends on the Javascript you're returning from this endpoint. Eval would almost certainly work in either case, but can be dangerous

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.