- Jan 23, 2013
- Reaction score
- First Language
- Primarily Uses
But is that a possibility?
In damage formula evals the formula is set by the developer and has no regular user input.
I don't know how MV handles things, but in the RGSS generation it would be often possible for the player to abuse "eval" by manipulating the games savestates.
In Ruby, you could prevent the evaluation of such "tainted" strings in general by setting an appropriate safemode, JS does support something similar if I remember correctly (of course you shouldn't rely on the safemode alone).
After all, I can't think of a way where evaluating string constants in particular would cause security issues (other than it's needlessly slow) if you can make sure the code does not allow other strings to be "smuggled" in. On the other hand, I'm not that experienced in the matter, especially when it comes to web applications.
Last edited by a moderator: