Thomas 'PointedEars' Lahn a écrit :
Michael White wrote:
>function RunRoutine(sR){
eval(sR)
}
Kids, don't try this at home! It's the worst possible way to do it, as it
will allow for arbitrary code injection.
Assuming that the function to be called is declared global, the following is
safer:
var _global = this;
function runRoutine(sR)
{
sR = sR.match(/^[^\(]+/)[0];
if (typeof _global[sR] == "function")
{
_global[sR]();
}
}
runRoutine(sRoutine);
I dind't understand :
- the regexp (witch returns only the name of the function)
- the [0] in sR.match(...)[0];
it seems that works without [0]
- what this runRoutine() is supposed to do (better and saffer)
I've tested the following code :
<html>
<script type="text/javascript">
var _global = this;
function runRoutine(sR) {
sR = sR.match(/^[^\(]+/)[0];
if (typeof _global[sR] == "function") { _global[sR](); }
return false;
}
</script>
<form onsubmit="return runRoutine(this.txt.value);">
<textarea name=txt>alert('hello')</textarea>
<input type=submit value=GO>
</form>
</html>
and ... of course ... I obtain in Firefox :
Erreur : uncaught exception: [Exception... "Not enough arguments"
More :
- adding in script : function oo() { alert('hello'); }
- changing textarea's content with : oo
result = the alert 'hello' fires
while I din't enter a complete function as oo()
With in textarea : oo(); ooo();
the alert fires too (without the [0] in sR matching)
--
sm