Thanks Nick - knew I could count on a 4am reply from you.
I think this was done as a shortcut, but in this application there's only 3 functions that need to be called so is a bit stupid. However, from what I've found on the web it does seem the whole Flash - Javascript interface is a bit flakey anyway so this part probably isn't the issue.
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Reply to: eval in Javascript
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "eval in Javascript"
Collapse
-
That approach allows the Flash content to execute arbitrary code. IMHO, it makes more sense from a security perspective to ensure that Flash only seeks to execute JS code provided specifically to support its requirements. That can be done without using eval.
Using eval may be perfectly safe and secure for your application, but it's a powerful vector for script injection, cross-site scripting, and cross-site request forgery.
It also imposes a performance cost: a whole new instance of the JS engine has to be instantiated to parse the passed string (which is what I assume the type of the jsf parameter is) and then execute it.
[Aside: Before anybody jumps in about my mention of the type of the parameter: JS does have types, and also has clearly defined rules for automatic type conversion. This can create the illusion of the language lacking types to those who are careless, but it is an illusion. The only people who think JS is an untyped language are those who don't know the language or haven't read the ECMA-262 spec.]
When this is done purely from within JS code itself it's far from ideal, but as JS runs on one thread it shouldn't be a problem. When done from within a plugin like Flash, the waters become muddier: the specifications governing browser behaviour aren't clear on how these interactions should be handled (in fact, they don't really exist), and it's definitely an area where one might expect to encounter bugs relating to the separate execution contexts of the JS code and the plugin code. Normally these things work well together, but the case of a plugin invoking a JS function which uses eval to create a new JS execution context, separate from the execution context of which the plugin is aware, is to my mind very much an edge case where unpredictable platform-dependent behaviour might well be encountered.
Put it this way: if I was writing the browser code and plugin code that handles the interaction of the plugin, the JS engine, and the new instance of the JS engine created by using eval, I would tend to assume that, despite my best efforts, I would almost certainly end up with some weird synchronisation bug in there. It's a tricky thing to do.
Leave a comment:
-
eval in Javascript
One for the webby types:
I have this inside some (client side) Javascript on a web page that hosts a flash movie as a way for the movie to call generic Javascript commands:
Code:function JSFunction(jsf) { eval(jsf); }
This is one of those third hand "sometimes it doesn't work" type problems so I'm just looking for anything dubious.
Ta.Tags: None
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Leave a comment: