I'd like to know if the code below offers some insecurity to the site.
Contact Us |
If so, what is the safe way to write this code?
You already know that eval
causes the browser to interpret / execute a code in the same scope as it was called: then "no". The code running next to the client is not able to modify the server, but it has access to the local declarations, since the global context anyone can modify quickly (now this is in case you want to evaluate a string that came from elsewhere) p>
I would worry about using eval
in this case, since it can undermine the performance of a game (for example), by having the browser re-evaluate and execute a code.
The way you used eval
was not very vivid, like, you wanted to get a obj1
property in a more customized way. Assignments also work with (exp)[expParaONomeDaPropriedade]
instead of (exp).identificador
:
obj1['0']; // o mesmo que obj1[0]
obj1['but1']; // o mesmo que obj1.but1
The difference from using .
is because you are required to use an identifier in several ways currently:
({ 'a': 2 }).\u{61} // 2
({ 'a': 2 }).\u0061 // 2
({ 'B': 5 }).\u0042 // 5
({ 'B': 5 }).B // 5
Remembering that the names of all properties are forced to be strings, except a property with the type name 'symbol' ...