Javascript json eval() injection

ThomasQ
ThomasQ used Ask the Experts™
on
Hi Guys,
I am making an AJAX chat room with the guidance of an AJAX book teaching me to use JSON and eval() function.
This chat room has normal chat function and a whiteboard feature.
When a normal text message comes from the php server in JSON format, the javascript in browser does this:

Without Whiteboard Command -------------------------------------------
function importServerNewMessagesSince(msgid) {
    \\loadText() is going to return me a JSON object from the server
    \\it is an array of {id, author, message}
    var latest = loadText("get_messages_since.php?message=" + msgid);
    var msgs = eval(latest);
    for (var i = 0; i < msgs.length; i++) {
                    var msg = msgs\[i\];
                    displayMessage(escape(msg.id), escape(msg.author), escape(msg.contents));
    }   ...
-----------------------------------------------------------------------------------------

The whiteboard drawing commands are sent by server in JSON format with special user name called "SVR_CMD", now the javascript is changed slightly:

With Whiteboard Command --------------------------------------------------
function importServerNewMessagesSince(msgid) {
    \\loadText() is going to return me a JSON object from the server
    \\it is an array of {id, author, message}
    var latest = loadText("get_messages_since.php?message=" + msgid);
    var msgs = eval(latest);
    for (var i = 0; i < msgs.length; i++) {
                    var msg = msgs\[i\];
                    if (msg.author == "SVR_CMD") {

                        eval(msg.contents);  // <-- Problem here ...

                         //I have a javascript drawLine() function to handle the whiteboard drawing
                        //server command sends JSON function call like this:
                        //"drawLine(200,345,222,333)" eval() is going to parse execute it
                        //It is a hacker invitation to use eval() as someone in chat room can
                        //insert a piece of javascript code and send it using the name SVR_CMD?

                   else {
                        displayMessage(escape(msg.id), escape(msg.author), escape(msg.contents));
                    }

    }   ...
-----------------------------------------------------------------------------------------

Now, if the hacker changes his username to SVR_CMD in the script, then in the message input start typing javascript code, insdead of drawLine(200,345,222,333), he is injecting redirectToMyVirusSite(). eval() will just run it for him in everyone's browser in the chat room.

So, as you can see, to let the eval to execute a command from an other client in the chat room is obviously a hacker invitation. I understand the book I followed is only meant to be an introduction to the functions. How do we do it properly with JSON in a real situation?

e.g. is there a server side php or .net function to javascriptencode/escape to make sure no hacker can send a valid piece of javascript code to other client's browser to be eval() ? Or is it safe to use JSON eval() at all, it seems to be a powerful but evil function?

Thank you,
Tom
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Multitechnician
Top Expert 2014
Commented:
so don't use eval.
use JSON.parse (native or include json_parse.js
separate chat function and chat function arguments

//if (msg.author == "SVR_CMD") {  // commented, see default case in the switch
    switch(msg.funct) {
         case "drawLine" : drawLine( msg.args );break;
         case "drawPixel" : drawPixel( msg.args );break;
         // and so on
         
         // hey look like we should be able to use this in the switch and remove the if(msg.author == "sRV_CMD"
         default :  displayMessage(escape(msg.id), escape(msg.author), escape(msg.contents));
    }
//} 

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial