There is a number of function in JavaScript you should avoid in case of input data.
- eval()
- execScript()
- newFunction()
- setTimeout()
- setIntrival()
Noted all functions are not here.
Avoid using these functions with user input. If you need to use these functions with untrusted data then make sure to encode the data for the correct context before adding it to the displayed website.
Some functions such as eval() are extremely difficult to protect because they process all input as javascript.
So better to avoid those functions for the security conscious.
As a general rule do not include user input as part of JavaScript code. It is too risky regardless of any encoding or validation you apply. The only acceptable place to include input in javaScript is when assigning it to variables or as a literal quoted string.
๐Thanks For Reading !
Top comments (0)