On 20 August 2011 20:10, Peter van der Zee <[email protected]> wrote:
> Personally I'd never use a construct like this. Just expose private
> variables as you go. Using eval is dangerous, especially because I
> don't quite see the point of the regex. I mean, what is clean() trying
> to do? `alert('foo');` is going to go through...
I think you may have misread the regex - it checks for anything that's
not \w - i.e. any non-identifier character (I should've used \W rather
than [^\w] in retrospect). So it wouldn't allow alert('foo') through
(I've included an example of an alert not making it through).
I agree that exposing private variables is probably better in general.
--
Nick Morgan
http://skilldrick.co.uk
@skilldrick
Save our in-boxes! http://emailcharter.org
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/[email protected]/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/[email protected]/
To unsubscribe from this group, send email to
[email protected]
