Yep, although that still doesn’t make any sense. People see security issues where there are none.
No different than code I do in the classic client now.
Yep, although that still doesn’t make any sense. People see security issues where there are none.
No different than code I do in the classic client now.
Really? eval() functionality exists across many programming languages, and to the very last one, its use is discouraged because exploits have appeared EPECIALLY when one does not have 100% full control of the expression executed. This means pretty much every web application out there is dangerous if there is any possible way the user can manipulate the expression, which in a browser, is trivial.
JavaScript
Python
PowerShell
Ruby
PHP
PERL
Bad things can happen when we use shortcuts to get things done quickly…
The Open Web Application Security Project calls Dynamic Code Evaluation a type of Command Injection attack.
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection
Which one may argue hasn’t been secure either - all of our code, not yours per se. This might be why we’re seeing movement on what we will be able to do in the future. I know, I know, Programming is an art…
This pretty much sums up Application Studio
Yes, really. But also, no. I’m sorry my full point wasn’t clear. I don’t think we are that far apart.
I’m not a fan of eval at all.
My full point was more along the lines of, do not enforce security at the client side. If I can manipulate the code on the front end and bypass security, I’m already in.
I believe we need to be able to inject js into the screen, for advanced scenarios, but in a sandboxed sanctioned way, not using a string from a field etc.
Anything I can do in eval is moot, if I can just manipulate the dom and do the same things.
Do I want eval? Not really. I want a place where I can inject js from the backend.
Oh, we’re not. But you’re a very trusted person on this site and if a passerby sees:
It doesn’t contain the nuance that I know you have. That’s all.
You are absolutely right, which is why I typed it out.
And I’m not as responsible as the better coders here!