Hi Derrell > [...] > Hi Peter, > > "eval() is evil" is a common phrase that helps discourage those who don't > understand the possible consequences of using it from ever using it. There > is nothing inherently evil about eval(). The input to eval() must be > sanitized to ensure that there is no code in that input that could do harm, > but once that sanitizing is complete, eval() is no longer evil. If ever user > input can be directly fed (i.e. unsanitized) to eval(), the possibility of > the evil user doing something evil exists, but that is the primary problem > with eval(). It's not that eval() is evil; rather that it opens the > possibility that the evil user might do something evil. Similarly, if > unsanitized user input is ever allowed to creep into a SQL statement to a > database, similar (or worse, since now we're talking server-side!) problems > exist.
Yeah, I know. But thank you for explaining it here. That was something I definitely missed when I wrote my post... It is all about "do I trust the other side". In our special case the backend is under our control as well, so we know what to expect from that server. Checking the received JSON message before parsing it is a good point in any case, anyway. I'm not sure, but I think something like that can be found in the "contrib"... > Feeding the input to Function rather than to eval() and then calling the > generated function has all of the same security ramifications as simply > calling eval(). There is effectively no difference between the two. I guess > that must mean that Function is evil too. :-) In that case I personally prefer "Function" ;) The alikeness of eval() and Function was known to me but I was not 100% sure if there were any other hidden differences (in this special JSON-parsing case). In general, my reference to those questions is the book "JavaScript - The Definitive Guide"[1] but still I was a bit uncertain. > Cheers, > > Derrell Cheers and thanks, Peter ----- [1] "Javascript: the definitive guide" by David Flanagan (ISBN-13: 978-0596101992) http://oreilly.com/catalog/9780596101992 ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ qooxdoo-devel mailing list qooxdoo-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel