How can I parse a javascript string as if it were injected as text
When entering a javascript string for the paired sequences, some parsing is applied.
For example var foo = "ab\\cd";
will give a foo
value ab\cd
.
I need to take javascript code as a string and extract the value of a variable from it, but when I do that, no escape sequences are applied. How can I reuse the parsing of the text as if enter the string value first.
Here is a fiddle example . It's simple, so I'll put the code here.
HTML:
<a href="javascript:alert('abc\/def');" oncontextmenu="log(this)">Click or right click</a>
JavaScript:
function log(el){
var href = el.getAttribute('href');
var str = href.split("'")[1];
alert(str);
}
Clicking on the link displays a warning abc/def
, but right-clicking will display abc\/def
.
How do I right-click the same as left-clicking?
source to share
In one case, if you want to ensure that all escape strings are applied, it would be to use eval to do the assignment to the string value.
eval("str = '" + str + "'")
or using the new syntax (template strings)
eval(`str = '${str}'`)
If it is not clear, you build the line
str = 'abc\/def'
and executing it as code by passing it to eval
There is a significant risk to this general approach; because it doesn't look like your example, I haven't thought about it before; but depending on your real use case this might be very important:
If the string data has not been properly escaped, as it would be a string literal in your code, this can lead to unexpected results. If the string comes from an untrusted source, then these unexpected results could be exploited and you could have disaster. Basically, if you are accepting user input and constructing an eval string from it, you need to pre-validate the string for the same reason as when constructing an SQL query this way.
Of course, in the case of building SQL queries, we have better ways to interpolate custom inputs into queries that avoid the problem (and therefore, combining custom inputs into query strings is generally considered bad practice); but I cannot think of a similar tool that would suit this purpose. So I can say that if you are using this technique and the input may come from an untrusted source, proceed with caution.
In your example, it would be difficult to enter a really dangerous value, because if you try to enter '
it will split
reject it (and if you try to enter "
that excludes injections from the property href
, which means that even if you use "
eval strings in your template, you will well); but even so it is possible to cause some problems with the HTML snippet like
<a href='\'>
which will make you try to evaluate the line
str = '\'
(which has a non-terminated string literal).
If you have reasonable control over the HTML source, then perhaps that's okay; but it would be good practice to have more deliberate code to sanitize strings used as part of evolution statements.
source to share