StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POJavascript json eval() injection
primarykey
Id
10211183
data
AcceptedAnswerId
10211351
AnswerCount
3
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2012-04-18T14:10:39.103
FavoriteCount
1
LastActivityDate
2014-05-23T08:46:02.933
LastEditDate
2012-04-18T14:17:38.477
LastEditorUserId
1330984
OwnerUserId
1330984
ParentId
0
PostTypeId
1
Score
3
ViewCount
4324
LastEditorDisplayName
text
Body
I am making an AJAX chat room with the guidance of an AJAX book teaching me to use JSON and eval() function. This chat room has normal chat function and a whiteboard feature. When a normal text message comes from the php server in JSON format, the javascript in browser does this: Without Whiteboard Command ------------------------------------------- <pre><code>function importServerNewMessagesSince(msgid) { //loadText() is going to return me a JSON object from the server //it is an array of {id, author, message} var latest = loadText("get_messages_since.php?message=" + msgid); var msgs = eval(latest); for (var i = 0; i < msgs.length; i++) { var msg = msgs[i]; displayMessage(escape(msg.id), escape(msg.author), escape(msg.contents)); } ... </code></pre> <hr> The whiteboard drawing commands are sent by server in JSON format with special user name called "SVR_CMD", now the javascript is changed slightly: With Whiteboard Command -------------------------------------------------- <pre><code>function importServerNewMessagesSince(msgid) { //loadText() is going to return me a JSON object from the server //it is an array of {id, author, message} var latest = loadText("get_messages_since.php?message=" + msgid); var msgs = eval(latest); for (var i = 0; i < msgs.length; i++) { var msg = msgs[i]; if (msg.author == "SVR_CMD") { eval(msg.contents); // <-- Problem here ... //I have a javascript drawLine() function to handle the whiteboard drawing //server command sends JSON function call like this: //"drawLine(200,345,222,333)" eval() is going to parse execute it //It is a hacker invitation to use eval() as someone in chat room can //insert a piece of javascript code and send it using the name SVR_CMD? else { displayMessage(escape(msg.id), escape(msg.author), escape(msg.contents)); } } ... </code></pre> <hr> Now, if the hacker changes his username to SVR_CMD in the script, then in the message input start typing javascript code, insdead of drawLine(200,345,222,333), he is injecting redirectToMyVirusSite(). eval() will just run it for him in everyone's browser in the chat room. So, as you can see, to let the eval to execute a command from an other client in the chat room is obviously a hacker invitation. I understand the book I followed is only meant to be an introduction to the functions. How do we do it properly with JSON in a real situation? e.g. is there a server side php or .net function to javascriptencode/escape to make sure no hacker can send a valid piece of javascript code to other client's browser to be eval() ? Or is it safe to use JSON eval() at all, it seems to be a powerful but evil function? Thank you, Tom
Tags
<javascript><json><eval><code-injection>
Title
Javascript json eval() injection
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USTom
UserOwnerUserId
1. USTom
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POJavascript json eval() injection
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POJavascript json eval() injection
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POJavascript json eval() injection
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COThrow that book away.
 singulars
 PostPostId
 POJavascript json eval() injection
 UserUserId
 USOtto Allmendinger
2. COThat's what I hate about web development books. They can't change with the web. `eval()` = evil
 singulars
 PostPostId
 POJavascript json eval() injection
 UserUserId
 USiambriansreed

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.