Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Function Objects for deserialization, instead of eval #159

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

tornikeshavishvili
Copy link

I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.

@tornikeshavishvili tornikeshavishvili changed the title Use Function Objects for deserialization, instead of eval #158 Use Function Objects for deserialization, instead of eval Jan 21, 2023
@okuryu
Copy link
Collaborator

okuryu commented Jan 23, 2023

As noted in the description, deserialization is not a use case for this module.
https://github.com/yahoo/serialize-javascript#deserializing

@tornikeshavishvili
Copy link
Author

As noted in the description, deserialization is not a use case for this module. https://github.com/yahoo/serialize-javascript#deserializing

At least the provided example using eval would be nice to have been changed with Function objects.
BUT . . .
Yes noted but not backed with arguments and we humbly disagree. Why is this case? We are loading users with task to implement deserialization, which should not be the case, because it shifts their attention and energy from whatever they are doing to the task that could have been provided by this module. This is very uncomfortable from a lot of viewpoints.

@okuryu
Copy link
Collaborator

okuryu commented Jan 24, 2023

If you have a better way to deserialization, please update the example and suggest it instead of changing the code.

@tornikeshavishvili
Copy link
Author

If you have a better way to deserialization, please update the example and suggest it instead of changing the code.

If you agree that deserialization with Function objects is better, then i will commit readme :|

@okuryu
Copy link
Collaborator

okuryu commented Jan 27, 2023

It depends on what perspective is better. My understanding is that neither eval() nor new Function() is necessarily safe. There are security risks in both. If you use them, it is a prerequisite that you know what data is passed to them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants