Security Consequences of using Eval in a Simple Browser Game

Another Fen

Veteran
Veteran
Joined
Jan 23, 2013
Messages
564
Reaction score
275
First Language
German
Primarily Uses
But is that a possibility?


In damage formula evals the formula is set by the developer and has no regular user input.


I don't know how MV handles things, but in the RGSS generation it would be often possible for the player to abuse "eval" by manipulating the games savestates.


In Ruby, you could prevent the evaluation of such "tainted" strings in general by setting an appropriate safemode, JS does support something similar if I remember correctly (of course you shouldn't rely on the safemode alone).


After all, I can't think of a way where evaluating string constants in particular would cause security issues (other than it's needlessly slow) if you can make sure the code does not allow other strings to be "smuggled" in. On the other hand, I'm not that experienced in the matter, especially when it comes to web applications.
 
Last edited by a moderator:

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

Latest Threads

Latest Posts

Latest Profile Posts

Been scratching away at my game and making progress, but just had a revelation. I'm working in full screen and adjusting all my pictures accordingly, but will they resize if someone's screen is smaller?? I hope this doesn't turn out to be a problem later.
Why is there so much month left at the end of money? D=
Hello humans! How goes your day in this journey of living? I hope it is good, for I am human like you, and I am feeling great! Worship the altar.

Forum statistics

Threads
105,625
Messages
1,015,052
Members
137,285
Latest member
AndrewRobertson
Top