10

Is it possible to use eval() to evaluate JavaScript code and be certain that that code will not have access to certain objects?

Example:

(function(window, location){ eval('console.log(window, location)'); })()

The above code doesn't seem to have direct access by reference to the window object because it is undefined in that scope. However, if another object exists globally and it contains a reference to window, it would be accessible.

If I add to window, location any other object or variable that may contain a reference to window, will the evaluated code ever be capable of referencing the window object?

I am trying to create a platform where user apps can be uploaded with js files and access to specific APIs will be given in the form of permissions.

Improve this question
16
  • 2
    Eval is Evil. Never use it if you are concerned with security. Commented May 26, 2015 at 14:32
  • 4
    You may want to look at some kind of sandbox library. Writing your own is probably going to lead to failure of the painful sort if there's a lot on the line here. Since you're talking about uploading and executing arbitrary JavaScript, I have no idea how window would factor in here. Are you running this in a browser? That seems reckless. Commented May 26, 2015 at 14:33
  • 6
    eval() isn’t evil, just misunderstood Commented May 26, 2015 at 14:39
  • 1
    @R4nc1d That's right, it should be avoided 99% of the time, and this is a case where it may be acceptable, if you know what you are doing. Commented May 26, 2015 at 14:41
  • 6
    @KosmasPapadatos A good solution is to run the code in an isolated iframe that is not allowed to access the parent page. Then, even if they do modify window, it won't really affect your site. You can then communicate with that iframe using postMessage. That is what sites like jsfiddle.net do. You'll see that your JavaScript can't really affect the outside of the Result frame Commented May 26, 2015 at 14:47

1 Answer 1

Reset to default
3

In JavaScript, any function called globally (i.e. not on an object) will have its this parameter set to the global object (in a browser that is window). So this snippet:

(function(window, lovation) { eval('(function () { console.log(this) })()'); })()

prints out the current window object

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

So it is impossible to make the window object unreachable?
They could get around it by specifying what this is, e.g. (function(window, location) { eval('(function () { console.log(this) })()'); }).call({})
@KosmasPapadatos Pretty much. You can have a look at a sandboxing library as suggested in the comments above.
@JuanMendes that only sets this on the function wrapping the eval, the function inside the eval still has this == window
@WillSmith I do stand corrected ;) I did not even think about the fact that the code using this was inside the eval

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.