Skip to content
This repository has been archived by the owner on Apr 5, 2021. It is now read-only.

avoid using eval #3

Open
tonydspaniard opened this issue Jun 8, 2013 · 2 comments
Open

avoid using eval #3

tonydspaniard opened this issue Jun 8, 2013 · 2 comments

Comments

@tonydspaniard
Copy link

There is an option to avoid the use of eval on parseOptions function:

    var parseOptions = function (input) {
            try {
                var properties = input.split(', ');
                var output = {};
                properties.forEach(function(property) {
                    var tup = property.split(':');
                    output[tup[0]] = tup[1];
                });
                return output;
            }
            catch (error) {
                throw new Error(errors.parseOptions);
            }
        };

cons:
Attributes cannot hold the : sign

Another way is:

return (new Function('return {'+input+'}'))();
@alexlawrence
Copy link
Owner

An earlier version of declarative also implemented its own option parsing in order to avoid eval(). However manual parsing has too many downsides. The above code would not work with arrays as values and definitely not with nested objects. As you mention one would also not be able to use colons inside keys and/or values.

Using an immediately invoked function object would be slightly better than eval. Though it wouldn´t be any more secure as far as I know.

@tonydspaniard
Copy link
Author

You are right, nevertheless I modified my version to include Function and works very well.

Your library works amazingly well and already implemented to create the backbone library for php library that would use meta info for components functionality. It will be focused for Yii framework and wonder if declarative works on dynamic rendering (live events). That could be amazing. Already created php library: called wheels.
Enviado desde mi BlackBerry® de Vodafone

-----Original Message-----
From: Alex Lawrence notifications@github.com
Date: Mon, 10 Jun 2013 13:59:57
To: alexlawrence/declarativedeclarative@noreply.github.com
Reply-To: alexlawrence/declarative reply@reply.github.com
Cc: Antonio Ramirezantonio@ramirezcobos.com
Subject: Re: [declarative] avoid using eval (#3)

An earlier version of declarative also implemented its own option parsing in order to avoid eval(). However manual parsing has too many downsides. The above code would not work with arrays as values and definitely not with nested objects. As you mention one would also not be able to use colons inside keys and/or values.

Using an immediately invoked function object would be slightly better than eval. Though it wouldn´t be any more secure as far as I know.

Reply to this email directly or view it on GitHub:
#3 (comment)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tonydspaniard @alexlawrence