var foo = "function (){ alert('meee'); }";
foo();
I have tried the above but it does not work is there any other way to execute that function without using eval?
thnx
4 Answers
you want to use the Function constructor directly, as Anders said. All arguments are strings. The last argument is the body of the function, any leading arguments are the names of the arguments the function takes.
To borrow from Anders' example,
var multiply = new Function("x", "y", "return x * y");
would be like writing
var multiply = function (x,y) {
return x * y
}
In your case, you have "function (){ alert('meee'); }" and you want to save it as a function to var foo.
var fn = "function (){ alert('meee'); }";
var foo = new Function("return ("+fn+")")();
foo();
// alerts "meee"
The difference between Function and eval is eval runs in the private scope, while Function runs in the global scope.
var x="haha", y="hehe";
function test () {
var x=15, y=34;
eval("alert('eval: ' + x + ', ' + y)");
new Function("alert('Func: ' + x + ', ' + y)")();
}
test();
// eval: 15, 34
// Func: haha, hehe
Don't try to run it in the console, you'll get a deceiving result (consoles use eval). Writing it in a <script> tag and loading it in the browser will give the true result.
3 Comments
Claudiu
please not that the way the
Function constructor creates this function is much the same as the way eval does. it's really just another form of eval, so all this really does is avoid using the word eval itself. but you could also do that like window[(typeof [][0])[3] + "val"]("4 + 3"), which gives 7.Claudiu
i have to reiterate. you say you are scared of script injection or people stealing your passwords if you use
eval. well, THIS IS USING EVAL!!! it's the same thing - arbitrary code is being compiled by JS and run. why do you want users to be able to supply their own functions to your code?
Kumaresan Sd
Can we able to di this without using eval
According to MDC. Use:
var multiply = new Function("x", "y", "return x * y");
var theAnswer = multiply(7, 6);
4 Comments
Val
I am sure i didnt ask for a maths lesson. all i want is to make a string that contains a function as text and call it. it's easy using eval, not safe and very slow.
Anders
@Val, it's an example of what you should be using, read the reference page.
Val
I suggest you should read it again where it says properties...
arguments Deprecated and arity DeprecatedClaudiu
arguments and arity are just properties of the Function object that shouldn't be used. the Function function itself isn't deprecated (although again as I said before, don't use it for what you want to do!)example js code in string
var theInstructions = "function sm(){ alert('meee'); } sm()";
var F=new Function (theInstructions);
F.apply(null)Comments
not that I know of... there's probably a better way to do what you're trying to do without making yourself vulnerable to a script injection attack that doesn't involve passing around javascript as a string.
2 Comments
Val
I know :) i have search alot about this but I need a safe one as I have read about eval well lets just say i got the impression that you might aswell give usernames, and passwords to people or delete everything urself :)
vicatcu
it really depends on where your javascript is coming from? if it's in a database and the only way the code strings get in there is by a secure form or what have you, you're probably ok. On the other hand, if you are letting just anyone put execute arbitrary code against your backend, yea you're probably asking for trouble. Most javascript attacks I can conceive of are mostly going to affect user interaction, rather than your database. What you're alluding to is probably a script that logs keystrokes and sends them off to a remote site via xhr posts or similar.
function (){alert('mee');}is a text which have managed to capture now I need to call the function ... i think the example above works on php thats probably how i got the idea...so function was taken from a<div>function (){alert('meee')}</div>innerhtml so i would of thought it would be a text