2

I want to execute script from an editable input field when clicking a button

for example, If you type "alert("x");", I want to alert you "x", but also if you type "for(i=0;i<3;i++){alert(i);}" I want it to execute it.

How can I achieve this?

Edit: eval() is the only solution? Because I read that it is dangerous: https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/eval#section_5

Improve this question
2
  • Remember to be very careful when doing this. Be sure you trust your users, as all kinds of malicious javascript could be entered. Commented Nov 7, 2011 at 20:14
  • That's true, I just read something when researching about eval() developer.mozilla.org/en/JavaScript/Reference/Global_Objects/… Commented Nov 7, 2011 at 20:16

4 Answers 4

Reset to default
5

Please note that you're taking input from the user and running it in the context of a script on your site. So the script can do anything that JavaScript running on your browser/domain would have the ability to do (including cookie stealing, XSS, drive-by malware, etc.).

The only thing you can realistically do to mitigate the risks is to not eval() user-provided content. I'd suggest to consider the following alternatives:

  1. Use iframe as an environment to run user's script: http://dean.edwards.name/weblog/2006/11/sandbox/
  2. Use Caja. It allows websites to safely embed DHTML web applications from third parties, and enables rich interaction between the embedding page and the embedded applications. It uses an object-capability security model to allow for a wide range of flexible security policies. http://code.google.com/p/google-caja/

Happy coding!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Try this one :) http://www.w3schools.com/jsref/jsref_eval.asp

Improve this answer

1 Comment

Try to avoid sending people to w3schools docs if at all possible. Here's some info on eval at MDN: developer.mozilla.org/en/JavaScript/Reference/Global_Objects/… If you're curious why I say this, this site (though perhaps a little strident) sums it up: w3fools.com
1

Use the eval() command and it will evaluate and execute the javascript you pass to it.

Improve this answer

Comments

0

use eval, like onclick="eval(document.getElementById('your_input'))"

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.