Restricting eval() to a narrow scope

by

Short answer: No. If it’s in the global scope, it’s available to anything.

Long answer: if you’re eval()ing untrusted code that really wants to read or mess with your execution environment, you’re screwed. But if you own and trust all code being executed, including that being eval()ed, you can fake it by overriding the execution context:

function maskedEval(scr)
{
    // set up an object to serve as the context for the code
    // being evaluated. 
    var mask = {};
    // mask global properties 
    for (p in this)
        mask[p] = undefined;

    // execute script in private context
    (new Function( "with(this) { " + scr + "}")).call(mask);
}

Again, I must stress:

This will only serve to shield trusted code from the context in which it is executed. If you don’t trust the code, DO NOT eval() it (or pass it to new Function(), or use it in any other way that behaves like eval()).

More Related Contents:

  1. Why is using the JavaScript eval function a bad idea?
  2. When is JavaScript’s eval() not evil?
  3. Executing elements inserted with .innerHTML
  4. Convert a string to a template string
  5. Are eval() and new Function() the same thing?
  6. Calculate string value in javascript, not using eval
  7. (1, eval)(‘this’) vs eval(‘this’) in JavaScript?
  8. Why does JavaScript’s eval need parentheses to eval JSON data?
  9. Is it possible to achieve dynamic scoping in JavaScript without resorting to eval?
  10. Why {} + {} is NaN only on the client side? Why not in Node.js?
  11. Is Javascript eval() so dangerous? [duplicate]
  12. Specify scope for eval() in JavaScript?
  13. Eval is evil… So what should I use instead?
  14. what does eval do and why its evil? [duplicate]
  15. Safely sandbox and execute user submitted JavaScript?
  16. Accessing or creating nested JavaScript objects with string key without eval
  17. Why the open quote and bracket for eval(‘(‘ + jsonString+ ‘)’) when parsing json string
  18. What are the Alternatives to eval in JavaScript?
  19. How to code a calculator in JavaScript without ‘eval’
  20. Context-preserving eval
  21. eval javascript, check for syntax error
  22. Alternatives to JavaScript eval() for parsing JSON
  23. What’s the main benefit of using eval() in JavaScript?
  24. Alternative to eval() javascript [duplicate]
  25. Exploiting JavaScript’s eval() method
  26. JQuery getJSON – ajax parseerror
  27. How to calculate the XPath position of an element using Javascript?
  28. Associative array versus object in JavaScript
  29. React-Redux: Should all component states be kept in Redux Store
  30. Assign only if condition is true in ternary operator in JavaScript

Leave a Comment