I'm contributing to a javascript framework which has the equivalent of the following code:

eval("'" + user_input.replace(/'/g, "'") + "'");

I know this is terrible -- no need to persuade me. What I want to know is, can I inject arbitrary code here?

At first glance the user_input.replace("'", "'") would seem to prevent me from breaking out of the string. However I can pass in newlines e.g. \nalert(123)\n, but then the result is always a syntax error, e.g.

'
alert(123)
'

Is there actually a vector for code injection here, other than just causing a syntax error?

I'm contributing to a javascript framework which has the equivalent of the following code:

eval("'" + user_input.replace(/'/g, "'") + "'");

I know this is terrible -- no need to persuade me. What I want to know is, can I inject arbitrary code here?

At first glance the user_input.replace("'", "'") would seem to prevent me from breaking out of the string. However I can pass in newlines e.g. \nalert(123)\n, but then the result is always a syntax error, e.g.

'
alert(123)
'

Is there actually a vector for code injection here, other than just causing a syntax error?

• javascript
• node.js
• security
• xss

Share Improve this question Follow edited Jan 18, 2014 at 0:39 bluepnume asked Jan 18, 2014 at 0:22 bluepnumebluepnume 17.2k88 gold badges4141 silver badges4848 bronze badges 21

• 1 I can almost guarantee there is SOME kind of injection you can do here... – markasoftware Commented Jan 18, 2014 at 0:23
• 1 user_input = 'window.location="http://example."' – Matt Commented Jan 18, 2014 at 0:27
• 1 @Matt that wouldn't do anything. That's eval-ing 'window.location="http://example."', so it's just a string – markasoftware Commented Jan 18, 2014 at 0:28
• 1 It does seem rather safe to me, but you wouldn't really be able to eval anything at all, so I don't see how you could use it for something useful ? – adeneo Commented Jan 18, 2014 at 0:31
• 1 what's the context? Surely there's more to this than just an eval evaluating a string, because that wouldn't do anything. Can you show us the rest of this? – markasoftware Commented Jan 18, 2014 at 0:32

 |  Show 16 more ments

1 Answer 1

Sorted by: Reset to default 8

While this is undoubtedly a worrisome pattern, it's safe if used exactly in the way described. The only character that can terminate a single-quoted string in Javascript is the single quote character. So long as that character does not appear in the string interpolated into the single quotes, it cannot possibly be interpreted as anything other than a string.

About the worst thing I can think of that you could do is end a string with a backslash, which would result in an unterminated string, e.g. if user_input were:

example\

then the evaluated code would be

'example\'

which would result in a syntax error, because the string contained in the eval is never terminated. However, if the real eval is actually more plex, this is exploitable. For example, if the code were:

var escaped_input = user_input.replace(/'/g, "&39;");
eval("'" + escaped_input + "' some more stuff '" + escaped_input + "'");

then it could be exploited with an input like:

; alert(1); // \

which would result in:

'; alert(1); // \' some more stuff '; alert(1); // \'
                                      ^^^^^^^^^

in which the underlined content would be evaluated, because the quote that was supposed to exit the string was escaped, turning the next single quote into a closing quote! To be safe, I'd remend escaping or replacing backslashes if possible (unless you're explicitly trying to use eval() to deal with them, in which case you might just catch the exception).