string => number conversion in JS

Question

I have a URL, that I am parsing after the hash. The content after the hash is a math equation (eg. http://example.com/something#5+1) which I would like to find the sum of (or the result of any other equation like a product, division, etc)

I can retrieve the numbers using:

var url = (window.location.hash).substr(1) // returns "5+1" as a string

Although I find if I try to convert this to a number it doesn't actually do the math. It cuts it down to 5, instead of showing the sum of 8.

Is this kind of conversion possible?

thanks!

Eli Grey · Accepted Answer · 2009-12-24 04:47:45Z

6

Do not eval() arbitrary code from the URL as it can easily be exploited for XSS. I have created a library called JSandbox that can sandbox JavaScript code execution, but it requires support for web workers. It would not be a good idea to use fake worker support for IE as then the safety of the sandbox is gone.

Your code would go as follows:

JSandbox.eval("with(Math){" + location.hash.substr(1) + "}", function (res) {
  // handle the results here
});

Use this to also handle errors:

JSandbox.eval("with(Math){" + location.hash.substr(1) + "}", function (res) {
  // handle the results here
}, null, function (err) {
  // handle errors here
});

I included a with (Math) { ... } wrapper so the hash code has short access to Math functions. (eg. abs(..) instead of Math.abs(..))

edited Dec 24, 2009 at 4:47

answered Dec 24, 2009 at 4:35

Eli Grey

36k14 gold badges80 silver badges96 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Breton · Accepted Answer · 2009-12-24 04:54:04Z

1

To really do this correctly, you need to write a simple parser for your mathematical expression language. This is allegedly not very hard, but I myself have never been able to do it. This is the only way to get the javascript to evaluate and interpret the math expression correctly, without also opening pandoras box, and letting all kinds of nasty stuff through like a simple (and stupid) call to eval() will.

Or you can just have a bit of a look around and find someone who has already done this such as here:

http://silentmatt.com/math/evaluator.php

edited Dec 24, 2009 at 4:54

answered Dec 24, 2009 at 4:47

Breton

15.6k4 gold badges61 silver badges77 bronze badges

Comments

Annabelle · Accepted Answer · 2009-12-24 18:08:00Z

1

eval() is the easiest way to perform the calculation, but you'll definitely want to verify that your input is sane:

var input = window.location.hash.substr(1);
var result = null;

try {
  // Make sure the input is only numbers and supported operators.
  if (/^[-+*/.()0-9]+$/.test(input))
    result = eval(input);
} catch (ex) {
  // Insert error handling here...
}

This regex should filter out any dangerous input.

edited Dec 24, 2009 at 18:08

answered Dec 24, 2009 at 4:20

Annabelle

10.7k5 gold badges29 silver badges26 bronze badges

4 Comments

Crescent Fresh Over a year ago

Don't forget the . in decimals, or % in modulos.

Crescent Fresh Over a year ago

@slebetman: wha? When is the sequence of characters "Math.sin()" part of a valid mathematical equation?

Annabelle Over a year ago

Yes, the regex is extremely simple. But I think it gets the point across.

gleddy Over a year ago

nice, thanks for the input. it's for a javascript tutorial so the security issues are not an issue. Good to know / check out for any future / production use though!

slebetman · Accepted Answer · 2009-12-24 03:55:46Z

0

var code = "5+1";
var result = window.eval(code);

But as in all languages that has eval, be careful with what you eval.

answered Dec 24, 2009 at 3:55

slebetman

115k19 gold badges147 silver badges180 bronze badges

1 Comment

jdigital Over a year ago

If you use eval, precede it with a test, such as a regular expression, to ensure that the string to be eval'ed is what you're expecting.

Community · Accepted Answer · 2017-05-23 12:30:45Z

0

To execute a string see eval and some reasons not to do this are at why-is-using-javascript-eval-function-a-bad-idea.

This means in code of any importance—with data that is coming from an untrusted source (e.g. the internet)—you should parse out the numbers and the mathematical operation...and not accept any other types of input.

edited May 23, 2017 at 12:30

CommunityBot

11 silver badge

answered Dec 24, 2009 at 3:54

HostileFork says dont trust SE

33.7k13 gold badges103 silver badges175 bronze badges

Comments

eriksv88 · Accepted Answer · 2009-12-24 05:38:20Z

0

function CalculateString(hash) {
    var ReturnValue;

    var patt = '([\d*+-/.%])';
    ReturnValue = hash.match(patt)[1];
    ReturnValue = eval(ReturnValue);

    if (ReturnValue > 0) {
        return parseInt(ReturnValue,10);
    } else {
        return 0;
    }
}

So you can do like this:

var Hash = (window.location.hash).substr(1);
var Calculation = CalculateString(Hash); // Retinerer result of the calculation if it is valid, otherwise it will give you 0.

edited Dec 24, 2009 at 5:38

answered Dec 24, 2009 at 4:44

eriksv88

3,5463 gold badges35 silver badges51 bronze badges

2 Comments

Kobi Over a year ago

When calling parseInt you should include the radix - parseInt(val, 10), or things might go octal...

eriksv88 Over a year ago

I know that Firebug gives error on it, but I have not yet found any documentation from the W3C, although that is requested. The closest I've found is this description here: w3schools.com/jsref/jsref_parseInt.asp. But I can update my answer:)

Collectives™ on Stack Overflow

string => number conversion in JS

6 Answers 6

Comments

Comments

4 Comments

1 Comment

Comments

2 Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

Comments

Comments

4 Comments

1 Comment

Comments

2 Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related