SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Enthusiast
    Join Date
    Jan 2005
    0 Post(s)
    0 Thread(s)

    AJAX: eval() data


    Is it unsafe to eval() plain text data channeled through a XMLHttpRequest object?

    For example, I make a request... and the response from server says:

    var error=1;var error_msg='User not logged in';

    and I pass that response through eval() to initiate those variables. I just want to know if this is a safe approach on handling data from the XMLHttpRequest object.

    thank you

  2. #2
    SitePoint Addict dek's Avatar
    Join Date
    Oct 2004
    0 Post(s)
    0 Thread(s)
    I would not recommend it.

    Safety concerns aside, quite honestly, it's a pretty nasty way to pass a response. My normal method is to pass back any information via xml, and to parse it at the client end.

    In this case, it might be done as:

    <response type="error">
       <error message="User not logged in" />
    It may seem like more work to implement, but it has huge advantages - one being that you can pass all your information through a common interface, one being that you are not blindly executing code that's come to the client, and one being that you are doing a lot to separate the js side from the server side, instead of mixing them together, as you would be using this method.

    Another option that I'm looking into is to go the JSON route, which looks pretty useful.
    Only dead fish go with the flow


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts