How can I create a new function from a string when the string contains if condition?
The string will comes from outside but in the dummy example below everything is hardcoded to be easier.
let f1: number = 1;
let f2: number = 0;
let condition: string = 'if(this.f1===1){this.f2 = 1}';
let result = this.createFn(condition);
createFn(param: string) {
return new Function('return ' + param)();
// or return new Function(param)();
}
Of course this is not working and I'm searching a way to do it.
I don't want to use eval().
Passing a string to the constructor of Function is almost the same as using eval().
To safely execute arbitrary code in JavaScript you need to have a JavaScript interpreter written in JavaScript which will then execute the received string in a sandbox environment. A quick google search yields this package: https://github.com/NeilFraser/JS-Interpreter.
Others who faced this issue have decided to implement themselves a domain-specific subset of a programming language to then allow the strings to execute that language's code. e.g. SAP's SAPUI5/OpenUI5 solution for the Expression Binding they have.
I am scraping information from a webpage. The following is a snippet of the Javascript function that I am looking to extract the return string value from. In this case "2227885"
I have used the following method from selenium to attempt to extract this value:
result = driver.execute_script("getCurrentClientId()[0]")
print(result)
However, the value returned is None. What is the proper solution to extract the return value from this JS function?
use "return" as part of your javascript:
result = driver.execute_script("return getCurrentClientId()[0]")
print(result)
result = driver.execute_script("return getCurrentClientId()")
print(result)
if the function is not within the html source ,and you want to pass explicitly then use
result = driver.execute_script("return arguments[0]", getCurrentClientId)
print(result)
what ever we pass to execute_script will be passed into arguments arraay in the same order. so the getCurrentClientId can be accessed in the script as arguments[0]
I am using jdk11, graal.js script engine .
We get two json string messages, one has rules/condition(jsRules) and the other one has message. If the value in message satisfies the condition in jsRules it should evaluate to 1 else 0 .
So for example in the below code as String "message" has code: CU_USER hence the jsRules condition
header.code == 'CU_USER'
should have been satisfied and hence the eval below should have printed 1 , but instead it gives 0. Kindly explain what is causing this behavior and how can I get the desired behavior ? .
public static void process()
{
int eval =-2 ;
String jsRules = "{(header.code == 'CU_USER' || header.subcode == 'SD_CODE')?1:0}";
String message = "{code:'CU_USER'}";
ScriptEngine graalEngine = new ScriptEngineManager().getEngineByName("Graal.js");
//graalEngine.put("header",message);
try {
graalEngine.eval("var header = unescape(" + message + ")");
eval = (int)graalEngine.eval(jsRules);
System.out.println("Eval value:: "+eval);
} catch (ScriptException e) {
e.printStackTrace();
}
}
You call unescape({code:'CU_USER'}) while unescape expects a String. Thus, the object you provide as argument is converted to a String (to [object Object] actually) and thus the header variable on the JavaScript side holds a String, not an Object as you expect.
The solution would be to simply remove the unescape, i.e. use graalEngine.eval("var header = " + message); instead.
An alternative solution would be to pass in a Java object. You seem to have tried that with the commented out graalEngine.put("header",message); line. Note that I suppose don't want to pass in a Java string; what you typically want to pass in was a Java object that has a code field. Note that for this to work you need to enable the hostAccess permission to the engine (for more details, check https://github.com/graalvm/graaljs/blob/master/docs/user/ScriptEngine.md).
solution draft:
public static class MyMessageObj {
public String code = "CU_USER";
}
ScriptEngine graalEngine = new ScriptEngineManager().getEngineByName("graal.js");
Bindings bindings = graalEngine.getBindings(ScriptContext.ENGINE_SCOPE);
bindings.put("polyglot.js.allowHostAccess", true);
graalEngine.put("header", new MyMessageObj());
eval = (int) graalEngine.eval(jsRules);
I'm looking for a way to get a function declaration body by name from a string of js code. I'm in Nodejs environment.
Let's say I have some spaghetti.js file. I can read it into a string
const allJs = fs.readFileSync('spaghetti.js');
Now I need a function that receives that string and function name and returns a string with everything between { }.
Something like this
allJs = 'let a=1; const b=[2, 3]; function cook(items){return items}; cook(b)';
parseFunction(allJs, 'cook');//'return items'
The complexity of input js is not limited.
I tried to find an npm module for that, but no luck.
You should have a look at an AST parser for Javascript:
http://esprima.org/
https://github.com/ternjs/acorn
That should be more safe than using RegExp or something.
A String can be evaluated locally with the native eval() method. But remember, eval is a form of evil!
If the parseFunction() above is relying on something like this then the global Function constructor is being used and the 'new' function is bound to the return value of that operation (and thus that return value itself needs to be called).
A simple way to achieve this might be to do something like this...
var funcString = 'var a = 1, b = 3;';
funcString += 'function summit(){return a + b;}';
funcString += 'return summit();';
function makeNewFunc(str) {
return new Function(str);
}
var newFunc = makeNewFunc( funcString );
console.log('newFunc:',newFunc);
//-> newFunc: function anonymous()
console.log('newFunc():',newFunc());
//-> newFunc(): 4
This demonstrates how functions can be created and invoked from String snippets. (EDIT: Turning something like that into a Node module is a simple matter);
Hope that helped. :)
May need a Javascript language lawyer for this one:
var s1 = "{\"x\":\"y:z\"}"
var o = JSON.parse(s1)
var s2 = JSON.stringify(o)
$('span#s').text(s1);
$('span#s2').text(s2);
if (s1 === s2) {
$('span#areEqual').text('s1 === s2')
} else {
$('span#areEqual').text('s1 !== s2')
}
JSON.parse(s2) // okay
$('span#jsonParse').text("JSON.parse(s2) okay")
eval(s2) // bad mojo!
$('span#eval').text("eval(s2) okay")
eval("("+s2+")") // bad mojo, too!
$('span#eval2').text("eval((s2)) okay")
eval fails on s1, s2, and "("+s2+")".
jsFiddle here.
Your problem is that you mixing two unrelated things.
eval() is built-in javascript function, which main purpose is to interpret string of javascript code (thus make potentional security hole)
JSON.parse() function is for parse JSON string. Although very simmilar, do not make mistake, JSON is not Javascript and there are tiny differences. You should not use eval() for parsing JSON
What are the differences between JSON and JavaScript object?
$eval is automatically evaluated against a given scope.
For example:
$scope.a = 2;
var result = $scope.$eval('1+1+a');
// result is 4
$parse does not require scope. It takes an expression as a parameter and returns a function. The function can be invoked with an object that can resolve the locals:
For example:
var fn = $parse('1+1+a');
var result = fn({ a: 2 });
// result is 4
When you use eval for parsing JSON you need to wrap your expression with parentheses
eval('(' + s2 + ')');
jsfiddle
Check out what the specification says about JSON and eval
http://www.json.org/js.html
Notice this part specifically
The eval function is very fast. However, it can compile and execute
any JavaScript program, so there can be security issues. The use of
eval is indicated when the source is trusted and competent. It is much
safer to use a JSON parser. In web applications over XMLHttpRequest,
communication is permitted only to the same origin that provide that
page, so it is trusted. But it might not be competent. If the server
is not rigorous in its JSON encoding, or if it does not scrupulously
validate all of its inputs, then it could deliver invalid JSON text
that could be carrying dangerous script. The eval function would
execute the script, unleashing its malice.
JSON is just a javascript object, and nothing more. Valid javascript could include functions, execution blocks, etc. If you just eval() a string, it could have code it in. JSON will parse if it's just JSON, but you can't know for sure by just stuffing it into eval. For example
var s = "(function(){ /* do badStuff */ return {s: 123, t: 456}; })()";
var result = eval(s);
Would give you a var result with the contents {s: 123, t: 456} but would also execute any code hidden in your function. If you were taking this input from elsewhere, code could be executing and not actually break anything on your end. Now the same example with JSON.parse
var result = JSON.parse(s);
It throws an error with the message:
Uncaught SyntaxError: Unexpected token (
So the parse saves you from remote code execution here, even if someone tried to sneak it in.
eval wasn't an expression - i've updated it to evaluate eval(s2 === s1);
Otherwise it will try & execute what's within the eval & stop execution.
eval() attempts to evaluate a block of JavaScript code. If you had created a script file that started with the same text, you would have gotten the same error. In that context, I believe the braces signify a compound statement, as in an if-statement or for-statement body, but at the beginning of the compound statement is a string followed by a colon, which is not valid syntax.
If you wanted a string that would evaluate to an object, you'd have to enclose the object expression in parentheses to make it explicit that it's an expression. But as apocalypz says, you should not attempt to eval JSON. It's wrong on so many levels.
if you really want to use eval instead of JSON.parse() for parsing JSON then you should write something like
var o2; // declare o2 out of eval in case of "use strict"
eval("o2 = "+s1); // parse s1 and the assignment to the local o2
console.log(o2); // enjoy the local variable :)
...