However, end users being able to use console to execute any code doesn't necessarily mean that they will want to do it proactively. If you use eval and if the input is harmful, the end user may be passively affected.
If you are referring to checking if the string contains function call by searching for "()", no it won't work because there are way too many scenarios. Consider a case when there are spaces in between the parenthesis, e.g. foo( ) and your code will then allow it to run. It will be better if you only allow whitelisted characters. However, it will still take unnecessary effort and still potentially cause the program to hang (if you are going to search/parse the whole string which can be very long). So just use the built-in functions that work just fine and don't reinvent the wheel, which is something stupid.
What about
eval()?eval is dangerous..
eval("alert('you are hacked')")
I get your point, but you can already run JS commands in the console. Also, you can use
str.includes("()").However, end users being able to use console to execute any code doesn't necessarily mean that they will want to do it proactively. If you use
evaland if the input is harmful, the end user may be passively affected.Potentially, but can't you check the string for functions using 'str.includes("()")'?
If you are referring to checking if the string contains function call by searching for
"()", no it won't work because there are way too many scenarios. Consider a case when there are spaces in between the parenthesis, e.g.foo( )and your code will then allow it to run. It will be better if you only allow whitelisted characters. However, it will still take unnecessary effort and still potentially cause the program to hang (if you are going to search/parse the whole string which can be very long). So just use the built-in functions that work just fine and don't reinvent the wheel, which is something stupid.Don't do it.
eval() should never be used on user input.
Often parsing strings to Int is done for security reasons. Using eval() would just lead you to code injection and XSS problems.
Don't do it!
It will be an overkill. There are so many working ways of parsing integers. Why bother using such a dangerous way?