Recently in the company with PHP to make a small software, there are several requirements for user-submitted JS code check its syntax. I installed the v8js extension and wrapped the submitted code in the function "var x = function () {User JS code}" in such a way as to validate the client code without having to execute it.
The experimental results are good, but the problem is that the above approach may be exploited by smart users, causing the risk of injection. such as Customer input Code "}; Some dangerous code ", which can cause big trouble.
Is there any way to just check the syntax of the JS code, not to execute the JS code?
V8JS Extension Documentation: http://cn2.php.net/manual/zh/class.v8js.php
Reply content:
Recently in the company with PHP to make a small software, there are several requirements for user-submitted JS code check its syntax. I installed the v8js extension and wrapped the submitted code in the function "var x = function () {User JS code}" in such a way as to validate the client code without having to execute it.
The experimental results are good, but the problem is that the above approach may be exploited by smart users, causing the risk of injection. such as Customer input Code "}; Some dangerous code ", which can cause big trouble.
Is there any way to just check the syntax of the JS code, not to execute the JS code?
V8JS Extension Documentation: http://cn2.php.net/manual/zh/class.v8js.php
Try Javascriptlint or JSLint.
Tracking code discovery, PHP V8 extension, the code inside is the first JS check, and then start to execute, so as long as the code to modify, so that he can return after the check, and then the implementation of only the syntax and not execute code.