javascript - How to fix dynamic code evaluation issue in fortify scan because of using eval() in java script - Stack Overflow

admin管理员组

文章数量:1415421

HP fortify scan shows a dynamic code evaluation issue shows as below.It says eval() function in javascript leads to security issue. How fix this security issue. Below given is the code.

        if (objItem.column == 'leftColumn')
        {
            strItems = lcItems.value
        }
        else if (objItem.column == 'rightColumn')
        {
            strItems = rcItems.value;
        }
        else if (objItem.column == 'toolbox')
        {
            strItems = tbItems.value;
        }
        objItems = eval(strItems);
        item = null;

Here eval(strItems); is code for security violation. How fix this issue. see the issue details and remendations to fix issue Issue explanation

Recendation to fix issue

HP fortify scan shows a dynamic code evaluation issue shows as below.It says eval() function in javascript leads to security issue. How fix this security issue. Below given is the code.

        if (objItem.column == 'leftColumn')
        {
            strItems = lcItems.value
        }
        else if (objItem.column == 'rightColumn')
        {
            strItems = rcItems.value;
        }
        else if (objItem.column == 'toolbox')
        {
            strItems = tbItems.value;
        }
        objItems = eval(strItems);
        item = null;

Here eval(strItems); is code for security violation. How fix this issue. see the issue details and remendations to fix issue Issue explanation

Recendation to fix issue

• javascript

Share Improve this question Follow asked Feb 3, 2016 at 14:53 fortifysafeerfortifysafeer 4311 gold badge22 silver badges55 bronze badges 5

• 1 Without seeing what you're running through eval, it's not possible to tell you how to rewrite it without eval (or whether or not you can safely ignore the warnings, in the remote possibility that use of eval is actually necessary here). – apsillers Commented Feb 3, 2016 at 14:57
• What is the code tryping to do? e.g. what does the strItems variable evaluate to? Once we know that, we can provide a better solution for you. – scunliffe Commented Feb 3, 2016 at 14:57
• document.getElementById(tbItemsID); – fortifysafeer Commented Feb 3, 2016 at 15:07
• Are you saying that the value of strItems is actually "document.getElementById(tbItemsID);"? If so, I would modify it to only be the ID that you care about, and then do the lookup by ID instead of the eval statement. – scunliffe Commented Feb 3, 2016 at 15:26
• If all you want to do is avoid the warning, you could try (0, eval)(strItems). But it would be much better to rewrite the code without eval. – user663031 Commented Feb 3, 2016 at 16:25

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 1

It all depends on what the strItems variable you are using evaluates to (e.g. how is it being used?)

If the value is the ID of another element, then changing the eval line to this would work:

objItems = document.getElementById(strItems);

However if it is the name of an element...

//presuming there is at least 1 match by name, drop the index if you want the "set"
objItems = document.getElementsByName(strItems)[0];

or something else? you'll need to change the code accordingly.

本文标签：