Eval and Function Constructor allow Execution of Unrewritten JavascriptEffectExecute arbitrary code with access to the global environment, and the local members of the stack frame in which it is called. Backgroundeval is described at 15.1.2.1, and parses its argument as a Program, and executes it in it's caller's environment. The Function constructor allows creation of a function given a string body. It will execute in the global scope as described at EcmaScript 262 section 15.3.2.1 EcmaScript 262 specifically requires that the global eval method be assignable, so it can be replaced. The Function constructor is available via the 'constructor' property of any function object. The proposed EcmaScript 4 standard attenuates eval somewhat: If the code that is using eval is compiled in strict mode, eval is prohibited from introducing new names. This is the one case in ES4 where the run-time meaning of a program changes in strict mode.
ES4 still has an eval function that may be aliased, but that always resolves references in the global scope so in ES4, eval('(' + x + ')') ≡ (new Function('return ' + x))() for all strings x that are well formed javascript expressions. Assumptionswindow.eval and/or the Function constructor are accessible and callable. The function constructor is available if any function is available and a function's constructor property is readable. VersionsAll interpreters that obey the referenced sections of EcmaScript. Exampleeval('alert("your cookie is " + document.cookie)');
(new Function('alert("your cookie is " + document.cookie)'))();
|
Sign in to add a comment
Jacaranda and ADsafe prevent this by blacklisting Function and eval as free identifiers, and constructor and eval as properties.