Hi Derrell

> [...]
> Hi Peter,
> 
> "eval() is evil" is a common phrase that helps discourage those who don't
> understand the possible consequences of using it from ever using it. There
> is nothing inherently evil about eval(). The input to eval() must be
> sanitized to ensure that there is no code in that input that could do harm,
> but once that sanitizing is complete, eval() is no longer evil. If ever user
> input can be directly fed (i.e. unsanitized) to eval(), the possibility of
> the evil user doing something evil exists, but that is the primary problem
> with eval(). It's not that eval() is evil; rather that it opens the
> possibility that the evil user might do something evil. Similarly, if
> unsanitized user input is ever allowed to creep into a SQL statement to a
> database, similar (or worse, since now we're talking server-side!) problems
> exist.

Yeah, I know. But thank you for explaining it here. That was something I
definitely missed when I wrote my post...

It is all about "do I trust the other side". In our special case the backend is
under our control as well, so we know what to expect from that server.

Checking the received JSON message before parsing it is a good point in any
case, anyway. I'm not sure, but I think something like that can be found in the
"contrib"...

> Feeding the input to Function rather than to eval() and then calling the
> generated function has all of the same security ramifications as simply
> calling eval(). There is effectively no difference between the two. I guess
> that must mean that Function is evil too. :-)

In that case I personally prefer "Function" ;)

The alikeness of eval() and Function was known to me but I was not 100% sure if
there were any other hidden differences (in this special JSON-parsing case).

In general, my reference to those questions is the book "JavaScript - The
Definitive Guide"[1] but still I was a bit uncertain.

> Cheers,
> 
> Derrell

Cheers and thanks,
   Peter

-----
[1] "Javascript: the definitive guide" by David Flanagan
    (ISBN-13: 978-0596101992)
    http://oreilly.com/catalog/9780596101992


------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
qooxdoo-devel mailing list
qooxdoo-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel

Reply via email to