不包含白板命令----------------------------------------------------
function importServerNewMessagesSince(msgid) {
//loadText() is going to return me a JSON object from the server
//it is an array of {id, author, message}
var latest = loadText("get_messages_since.php?message=" + msgid);
var msgs = eval(latest);
for (var i = 0; i < msgs.length; i++) {
var msg = msgs[i];
displayMessage(escape(msg.id), escape(msg.author), escape(msg.contents));
} ...
白板绘图命令以JSON格式由服务器发送,使用名为“SVR_CMD”的特殊用户名,现在JavaScript已经略有更改:
通过白板命令进行--------------------------------------------------
function importServerNewMessagesSince(msgid) {
//loadText() is going to return me a JSON object from the server
//it is an array of {id, author, message}
var latest = loadText("get_messages_since.php?message=" + msgid);
var msgs = eval(latest);
for (var i = 0; i < msgs.length; i++) {
var msg = msgs[i];
if (msg.author == "SVR_CMD") {
eval(msg.contents); // <-- Problem here ...
//I have a javascript drawLine() function to handle the whiteboard drawing
//server command sends JSON function call like this:
//"drawLine(200,345,222,333)" eval() is going to parse execute it
//It is a hacker invitation to use eval() as someone in chat room can
//insert a piece of javascript code and send it using the name SVR_CMD?
else {
displayMessage(escape(msg.id), escape(msg.author), escape(msg.contents));
}
} ...
现在,如果黑客将他的用户名更改为SVR_CMD,并开始在消息输入框中键入javascript代码而不是drawLine(200,345,222,333),而是注入redirectToMyVirusSite()。eval() 将在聊天室中的每个人的浏览器中运行它。 因此,正如您所见,让eval来执行来自聊天室中其他客户端的命令显然是邀请黑客。我知道我遵循的书只是用作功能介绍。在实际情况下,我们应该如何使用JSON来处理呢?
比如,是否有服务端php或.net函数可用于javascriptencode/escape以确保没有黑客可以向其他客户端浏览器发送有效的javascript代码进行eval()?或者使用JSON eval() 是否安全,它似乎是一个强大但邪恶的功能?
谢谢, 汤姆
eval()
= 邪恶。 - iambriansreed