Topic: How dangerous is eval()? (Page 1 of 1) |
|
---|---|
Paranoid (IV) Inmate From: Australia |
posted 08-08-2006 03:27
Just wondering exactly what sort of bad things people can do with eval if they somehow managed to get a variabled into something you were going eval. |
Lunatic (VI) Mad Scientist From: Massachusetts, USA |
posted 08-08-2006 06:49
It will cause the JavaScript to do something on their browser only. However, if any of a user's input is stored on the server and then put back into web pages for others to see (such as on a forum), if it then got put into an eval, it would be as dangerous as if it were not stripped of HTML tags. |
Paranoid (IV) Inmate From: Australia |
posted 08-08-2006 08:30
Yeh i see what you mean, but its not like with python where they can actually delete files from your PC with eval(). |
Paranoid (IV) Inmate From: Norway |
posted 08-08-2006 08:31
eval() is evil! plain and simple. At best, in case of a malicious usage, your website would be defaced and the user gratified with goatse and tubegirl. At worst the user would have some serious problems with his/her computer. |
Maniac (V) Inmate From: |
posted 08-08-2006 09:30
<insert sly smile here> quote:
|
Paranoid (IV) Inmate From: Australia |
posted 08-08-2006 12:10
Yeh the only thing i am using eval for is JSON, will have to look up the sites with the script injection. I am parsing the data that comes to the eval function before it is eval()ed, so if you think they can still do damage let me know. quote:
|