0

Through AJAX I receive random string (built at RUNTIME on the server) that contain some JavaScript code like:

Plugins.add('test', function()
 { 
        return
            {
                html: '<div>test</div>',//EDITED
                width: 200
            }
 });//EDITED

In the client I want to be able to execute this code. I tried using eval function like this

eval("(" + str + ")");

but I get error. I removed all "\r\n" and removed the last ";"(semicolon) and after that eval function succeeded. But, If I add some comment to the code above, eval fails.

How I can run the code from the string?

Improve this question

4 Answers 4

Reset to default
2

Just remove those parenthesis:

eval(str);

asssuming that you made a typo in your question and your server is sending the missing end parenthesis and comma within the object:

Plugins.add('test', function()
 { 
        return {
                html: '<div>test</div>',  // <-- comma was missing
                width: 200
        };
 }
);   // <-- was missing

Note that eval() is considered "evil" as it is very dangerous.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Indeed, better to use JSON.parse()
The comma and missing parenthesis are NOT the problem(Updated the post). I just missed them in the post. I tried eval with AND without parenthesis, this is not working.
move the { to the same line as the return and it will work. I've updated my solution accordingly.
0 
new Function(str)()

or for JSON:

new Function('return ' + str)();

If it happens to fit your needs any better than eval. It's still evil like eval.

Improve this answer

4 Comments

Why it is evil? The script is executed in the Client!
Because most of the time you don't have control over eval()'d code. If that's not the case (if YOU are generating the code), it's fine. If it's coming from ANYWHERE else you run risks of exposing yourself to any form of an XSS attack that may be applicable on your site.
thank you. I generate the code, so I control it. Why Function is better than eval? Will function evaluate the code even that it contains NEWLINEs?
no, it's the same. The problem is that usually the reason for any server-generated code is to pass any data to the client (or why do you need it server-generated at all otherwise?). If you don't do all necessary escaping, checking etc. a malicious user may misuse your eval() statement to inject code and he can do whatever is possible with JavaScript. Just google for "evil eval" and you'll find lots of info.
0

You are missing a comma in your object literal. Return on its own line will simply drop out of the function. I assume you want to return the object. You need to specify the return value on the same line.

Plugins.add('test', function() { 
   var ret =   {
                html: '<div>test</div>',
                width: 200,
            }     
   return ret

 };
Improve this answer

2 Comments

return { followed by a line-break and the rest of the object works too.
right, but you have some typos in your code (one excess comma, two semicolons missing and the end parenthesis missing). :-)
0

You could return your string with a content type of "text/javascript" or "application/x-javascript" - the return value will be executed as JavaScript as soon as it is returned.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.