Key Concepts

Review core concepts you need to learn to master this subject

Dangers of eval

// This user input causes an infinite loop to run const user_input = "while(true) ;"; eval(user_input); // This user input closes the application const user_input = "process.exit(0)"; eval(user_input);

The eval() function in JavaScript takes a string as an argument and executes it as Javascript source code. Not only is it slow to execute, but bad actors can also inject malicious code into the input string for mischievous reasons. Thus, it’s best never to use it. If you MUST use it, only allow trusted and predetermined input through it. NEVER trust user input.

The functions, setInterval(), setTimeout(), and new Function() use eval() in their implementations, and should be used with the same caution.

Defensive Coding in JavaScript
Lesson 1 of 1
  1. 1
    Javascript is susceptible to all sorts of vulnerabilities, allowing bad actors to insert malicious code into Node applications and packages. Defensive programming combats these vulnerabilities, ens…
  2. 2
    The eval() function in JavaScript takes a string as an argument and executes it as Javascript source code. …
  3. 3
    In this exercise, we will discuss the exec() method, its risks, and alternatives. The exec() …
  4. 4
    The file system, or fs, module in Node.js enables file system operations. It gives us access to methods like: - chmod() to change file permissions - mkdir() to cre…
  5. 5
    Regular Expressions are used in almost every single programming language to validate whether user input adheres to an expected condition. Attacke…
  6. 6
    Now that you have learned about some dangerous functions and regular expressions to avoid, let’s learn about some defensive tools. One of them is JavaScript’s strict mode. Using [strict mode](https…
  7. 7
    Static Code Analysis evaluates a code without executing it. A lint, or linter, is a static …
  8. 8
    Writing code defensively is key to securing applications from bad actors who seek to take advantage of your code. Over the course of this lesson we were introduced to some of the fundamental concep…

What you'll create

Portfolio projects that showcase your new skills

Pro Logo

How you'll master it

Stress-test your knowledge with quizzes that help commit syntax to memory

Pro Logo