stackedit icon indicating copy to clipboard operation
stackedit copied to clipboard

Published 20 hours ago verified publisher icon robert-j-webb

Function calls still possible, thanks to comments

Open mmdriley opened this issue 6 years ago • 1 comments

Per this HN comment:

Additionally, (() => 5)() doesn't work because we don't allow open and close parens next to each other.

Not really, I can write ((/**/)=>5)(/**/) Using eval on data that are provided by a user is always a bad idea. You cannot be sure that your sanitiser will be safe with new syntax elements.

and indeed:

>
function safeEval(expression){
	const toEval = expression.replace(/(\(\s*\)|[^0-9.()+\-*\/><=!&|?:])+/g, "");
	// ^ Removes unsafe chars (including ( ), but not (5 + 5))
	// See https://regex101.com/r/Pt82Gi/3 for examples.
	try {
		return eval(toEval);
	} catch(error) {
		return 0;
		//Rather than try to recover, just return.
	}
}
>
safeEval("100 * .99")
99
>
safeEval("((/**/)=>5)(/**/)")
5

mmdriley avatar Jun 03 '18 00:06 mmdriley

Yep, I saw this too. The regex isn't perfect. I still haven't seen anyone modify state or make a DOM api call, so it's still ok.

robert-j-webb avatar Jun 03 '18 00:06 robert-j-webb