开发者

eval-uating server js file dangers

For loading external js files from my server in an asynchronous manner, instead of having to wait for them to load by including in the html head or at the end of the body, I use jquery.get() to retrieve those js files as a string, convert into an object with eval() and assign to a global variable as a property, i.e. (pseudocode):

var globalNameSpace = {};
var data = jquery.get('url/foo.js');           // foo.js returns a function with code
globalNameSpace[foo] = eval(data);
// from here onwards, access code in foo.js as:
globalNameSpace.foo.property;
globalNameSpace.foo.method();

This also means I can display a html page with a loading bar etc.

The question is, with all the hype of eval() being dangerous with uncontrolled inputs, seeing a开发者_Python百科s this is only to load "controlled" (although probably buggy :P) scripts from my own server (ajax same domain policy etc), how is this more dangerous than simply including the js files with tags, am I missing out on something?


There's no more danger than including the JavaScript normally using blocking <script> tags.

But you should consider either using the async attribute, which is supported in IE10, Chrome 11, Safari 5 and FF 3.6, or injecting the script element into your document using jQuery.getScript when the DOM ready event is fired.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜