是的,这是一个有点重复的this问题,但@apsillers给出的答案是一个超级的答案,因为它指向那些没有被告知在previous有关问题的一个新的方面。另一个有用的SO问题,帮助我更好地undestand究竟是什么的的eval()的安全问题是that问题
Yes, it's a kinda duplicate of this question, but the answer given by @apsillers is a super-answer as it points a new aspect of the problem that have not been told in the previous question. Another helpful SO question that helped me to undestand better what exactly are the eval() security concerns is that question
我使用eval()在我的JavaScript code,我想知道如果我要让它下来。
I use eval() in my javascript code and I'm wondering if I should let it down.
普林西比:我有一个Ajax调用它初始化一个浏览器客户端和服务器之间的第一个Connexion公司。服务器运行PHP。该规则是:当客户端发送变量请求初始化,在服务器端PHP获得必要的脚本内容,把每个脚本作为一个新条目的内容在一个对象(该值是内容,名称是不带扩展名和目标文件名是PHP性病类的一个实例),将整个对象JSON(按照约定),并发送回的一切。在客户端,当HTT prequest完成后,得到的Javascript对象,做了一个简单的......在()就可以了。
Principe : I have an ajax call which initialize the first connexion between a browser client and the server. The server runs PHP. The rules is : when the client send the variable 'init' in request, on server side PHP get the contents of necessary scripts, put the content of each script as a new entry in an object (the value is the content, the name is the filename without the extension and the object is an instance of PHP STD Class), convert the whole object in JSON (by convention) and send back everything. On the client side, when the httprequest is done, Javascript get the object and do a simple for ... in () on it.
在每个occurence,我有两个选择:要么我Concat的内容变成一门手艺制作的脚本标签,我把它注入HTML页面的的头的。或者我EVAL的内容(我现在做的),以执行code,而不surcharging中的头的标记。这主要是为了美观。
On each occurence, I have two choice : either I concat the content into a craft-made script tag and I inject it into the head of the HTML page. Or I eval the content (which I do now) in order to execute the code without surcharging the head tag. It's mostly for aesthetic.
下面是code:
var xhr = null;
if (window.XMLHttpRequest || window.ActiveXObject) {
... //prepare the ajax request (initialize variable xhr)
}
var url = "index.php";
var params = "action=init";
xhr.open('POST', url, true);
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.send(params);
xhr.onreadystatechange = function() {
if (xhr.readyState == 4 && (xhr.status == 200 || xhr.status == 0)) {
var o = JSON.parse(xhr.responseText);
for(s in o) eval(o[s]);
}
}
我的问题:我一定要避免使用eval在这种情况呢?或者是足够安全(因为只有管理员可以修改这些动态注入脚本)?
My question : should I definitely avoid to use eval in this situation? Or is it safe enough (since only administrators are able to modify the scripts which are dynamically injected) ?
为评估
的安全规则是:用户永远不应该评估
生成或由其他用户修改的字符串。这是完全安全的,评估
服务器创建的字符串。毕竟,服务器提供的实际$ C $页面了C 的,因此,如果选择提供了code作为一种评估
字符串,有不一定是一个安全问题。
The security rule for eval
is: a user should never eval
a string that was generated or modified by another user. It is perfectly safe to eval
strings created by the server. After all, the server is providing the actual code of the page, so if it chooses to provide that code as an eval
string, there's not necessarily a security concern.
在安全性方面,它基本上是危险的(或基本上是安全的),包括一个动态创建的<脚本>
元素,因为它是调用评估
。唯一的区别是,<脚本>
code将始终在全球范围内经营的,而评估
即可运行在词汇范围,在该调用时,允许其从它包含的功能(S)访问的变量。这可能是也可能不是合乎需要的,这取决于你expect脚本能够获得
In terms of security, it's basically as dangerous (or basically as safe) to include a dynamically-created <script>
element as it is to call eval
. The only difference is that <script>
code will always run in the global scope, while eval
can run in the lexical scope in which the call is made, allowing it to access variables from its containing function(s). This may or may not be desirable, depending on what you expect the script to have access to.
function f() {
var a = 5;
eval("alert(a);");
// an injected <script> wouldn't have access to `a`
}
阴险的危险与评估
是可以说是相当困难的严格验证评估
的内容有从未被生成或由其他用户修改。在你的情况,如果的Object.prototype
已提供任何枚举财产(包括在你的的for..in
循环),该属性的值将是评估
编辑:
The insidious danger with eval
is that is can be quite difficult to strictly verify that the contents of eval
have never been generated or modified by another user. In your case, if Object.prototype
has been supplied with any enumerable property (included in your for..in
loop), the value of that property will be eval
ed:
Object.prototype.foo = "alert(1);";
您可以通过强制实施的自主性检查来解决这个问题:
You can get around this problem by enforcing an own-property check:
for(var s in o) {
if(o.hasOwnProperty(s)) {
eval(o[s]);
}
}
评估
也导致一个显著的性能损失,并创建一个不能被优化的可变范围的情况,但是这不是一个安全问题。
eval
also incurs a significant performance penalty and creates variable-scope situations that cannot be optimized, but that's not a security concern.