0

I've got a perfectly correct Json string which gets parsed inside a function's method by using the eval function. When that is done, though, for some unknown reason the first line of a globally defined method is injected inside as one of the array's parameters.

the string being parsed is:

{"id":1,"name":"object1","volume":15,"weight":100}

The parsing line is:

var decoded = eval('(' + encoded + ')');

Once decoded by using the eval() function, I've got the "complementary" attribute decoded['replaceNode'] inside, which contains a global scope function contained inside another file.

I'd consider it a bug, but since the same happens in both firefox and safari, it seems unlikely. More probably I've misunderstood the purpose of eval.

Thank you for your help in advance.

4

2 回答 2

4

不要使用评估。

eval 是不安全的,可以使攻击者执行任意代码。请改用 JSON

于 2012-04-26T03:54:30.857 回答
0

暂时搁置使用的陷阱eval()...

我无法重现您描述的副作用。

猜测一下,您已经加载了一个库,该库覆盖eval()以“增强” eval 返回的任何结果的结果。

于 2012-04-26T04:15:02.123 回答