Brent already got an answer that works, but I recommend rescuing from the smallest set of exceptions you can get away with. This makes sure you’re not accidentally gobbling up something you don’t mean to be. Thus, begin puts eval(good_str) puts eval(bad_str) rescue SyntaxError => se puts ‘RESCUED!’ end
I’m going to mention one of the new features of Python 3.6 – f-strings. They can evaluate expressions, >>> eval(‘f”{().__class__.__base__}”‘, {‘__builtins__’: None}, {}) “<class ‘object’>” but the attribute access won’t be detected by Python’s tokenizer: 0,0-0,0: ENCODING ‘utf-8’ 1,0-1,1: ERRORTOKEN “‘” 1,1-1,27: STRING ‘f”{().__class__.__base__}”‘ 2,0-2,0: ENDMARKER ”
A slightly better way, avoiding the possible security implications of using eval, is declare “$var=$val” Note that declare is a synonym for typeset in bash. The typeset command is more widely supported (ksh and zsh also use it): typeset “$var=$val” In modern versions of bash, one should use a nameref. declare -n var=x x=$val It’s … Read more
You can test to see if an error is indeed a SyntaxError. try { eval(code); } catch (e) { if (e instanceof SyntaxError) { alert(e.message); } }
The eval function is best used: Never. It’s purpose is to evaluate a string as a Javascript expression. Example: eval(‘x = 42′); It has been used a lot before, because a lot of people didn’t know how to write the proper code for what they wanted to do. For example when using a dynamic name … Read more
The thing is that .replace() does not modify the string itself, so you should write something like: strInputString = strInputString.replace(… It also seems like you’re not doing character escaping correctly. The following worked for me: strInputString = strInputString.replace(/’/g, “\\'”);
You can use sandbox support in nodejs with vm.runInContext(‘js code’, context), sample in api documentation: https://nodejs.org/api/vm.html#vm_vm_runinthiscontext_code_options const util = require(‘util’); const vm = require(‘vm’); const sandbox = { globalVar: 1 }; vm.createContext(sandbox); for (var i = 0; i < 10; ++i) { vm.runInContext(‘globalVar *= 2;’, sandbox); } console.log(util.inspect(sandbox)); // { globalVar: 1024 } WARN: As … Read more
tl;dr The second (0, eval)(‘var a = 1;’); case is in fact not a direct call. You can see this more prevalently in: (function(){ “use strict” var x = eval; x(“var y = 10”); // look at me all indirect window.y;// 10 eval(“var y = 11”); window.y;// still 10, direct call in strict mode gets … Read more
are eval’s security issues fixable or are there just too many tiny details to get it working right? Definitely the latter — a clever hacker will always manage to find a way around your precautions. If you’re satisfied with plain expressions using elementary-type literals only, use ast.literal_eval — that’s what it’s for! For anything fancier, … Read more