2

I need to eval() the code inside my page because I am working on something jsFiddle-like. Since eval has such a bad reputation, how can I interpret the user input code safely and securely? Or as safely and securely as possible?

Improve this question
3
  • 2
    Wouldn't the JavaScript code a user inputs only be a danger to them? Anyway, have you read stackoverflow.com/questions/6714090/…? Commented Jan 28, 2014 at 14:34
  • Here's some alternatives to eval() stackoverflow.com/questions/7127652/… Commented Jan 28, 2014 at 14:47
  • The reason eval is evil is because it lets you run unknown code. This is to prevent XSS and other forms of code injection. Since your whole point is to do code injection, use eval(), it's the tool for the job; just don't use it in situations where running 3rd party code would be a bad thing (e.g. a poor-man's JSON.parse). Commented Jan 28, 2014 at 17:05

1 Answer 1

Reset to default
1

I would suggest you have a look at the following resources:

Anyway, you should consider running the code that's coming from untrusted users/sources on another domain than where your main site/content is located.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.