However, end users being able to use console to execute any code doesn't necessarily mean that they will want to do it proactively. If you use eval and if the input is harmful, the end user may be passively affected.
If you are referring to checking if the string contains function call by searching for "()", no it won't work because there are way too many scenarios. Consider a case when there are spaces in between the parenthesis, e.g. foo( ) and your code will then allow it to run. It will be better if you only allow whitelisted characters. However, it will still take unnecessary effort and still potentially cause the program to hang (if you are going to search/parse the whole string which can be very long). So just use the built-in functions that work just fine and don't reinvent the wheel, which is something stupid.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I get your point, but you can already run JS commands in the console. Also, you can use
str.includes("()")
.However, end users being able to use console to execute any code doesn't necessarily mean that they will want to do it proactively. If you use
eval
and if the input is harmful, the end user may be passively affected.Potentially, but can't you check the string for functions using 'str.includes("()")'?
If you are referring to checking if the string contains function call by searching for
"()"
, no it won't work because there are way too many scenarios. Consider a case when there are spaces in between the parenthesis, e.g.foo( )
and your code will then allow it to run. It will be better if you only allow whitelisted characters. However, it will still take unnecessary effort and still potentially cause the program to hang (if you are going to search/parse the whole string which can be very long). So just use the built-in functions that work just fine and don't reinvent the wheel, which is something stupid.