Potential threat with eval?
Potential threat with eval?
boulaycote
Posts: 2Questions: 0Answers: 0
Hi,
There is this part in the _fnCreateCookie function:
[code]
var aSplitCookie = aCookies[i].split('=');
try { oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' ); }
catch( e ) { continue; }
[/code]
I see a potential threat. Any reason eval is used here?
It is also used a few lines earlier:
[code]
oData = (typeof $.parseJSON === 'function') ?
$.parseJSON( sValue ) : eval( '('+sValue+')' );
[/code]
Is that validation used for compatibility with older version of jquery? Why not just use $.parseJSON?
Thanks!
There is this part in the _fnCreateCookie function:
[code]
var aSplitCookie = aCookies[i].split('=');
try { oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' ); }
catch( e ) { continue; }
[/code]
I see a potential threat. Any reason eval is used here?
It is also used a few lines earlier:
[code]
oData = (typeof $.parseJSON === 'function') ?
$.parseJSON( sValue ) : eval( '('+sValue+')' );
[/code]
Is that validation used for compatibility with older version of jquery? Why not just use $.parseJSON?
Thanks!
This discussion has been closed.
Replies
$.parseJSON isn't solely used because DataTables currently support jQuery 1.3+ and $.parseJSON was introduced in 1.4.1 ( http://api.jquery.com/jQuery.parseJSON/ ). So if you have jQuery 1.4.1+ then you aren't exposed to this issue since eval will not be used.
Having said that, perhaps 1.10 is a good time to bump up the jQuery version requirement and remove that code... Issue opened: https://github.com/DataTables/DataTables/issues/66
Allan