New Blog Post by me! Refactoring a Web Performance Snippet for Security and Best Practice nooshu.com/blog/2025/01... - ThreadSky

About ThreadSky

therealnooshu.bsky.social • 56 days ago

New Blog Post by me!

Refactoring a Web Performance Snippet for Security and Best Practice

https://nooshu.com/blog/2025/01/02/refactoring-a-web-performance-snippet-for-security-and-best-practice/

Comments

twnsnd.com•56 days ago

> the use of the setTimeout() which is a type of eval() and is a huge security risk.

Do you have any docs for this @therealnooshu.bsky.social? It’s not something I’ve come across before… afaik setTimeout doesn’t evaluate arbitrary strings as code, so I’m curious as to how it’s dangerous.

therealnooshu.bsky.social•56 days ago

I've always been under the impression it was just like eval but running on a timer, would be genuinely interested to learn if that is incorrect, though! A quick Google lead to this link:
https://www.blackduck.com/blog/javascript-security-best-practices.html

2nd bullet point under Write quality code.

bluesmoon.info•56 days ago

setTimeout can accept a string instead of a function reference and in that case it functions as eval.

therealnooshu.bsky.social•56 days ago

Thanks for the information Philip! Adds some really interesting context 😍

jmourell.bsky.social•56 days ago

https://stackoverflow.com/questions/11684558/difference-between-eval-and-settimeout-execute-string-code

twnsnd.com•56 days ago

Ah interesting – I did not know it accepted strings.

Still, it doesn’t appear dangerous if you’re passing your own function to it… only in the case it’s given a string that could contain user-input. Therefore, I don’t believe Matt’s usage was problematic.

bluesmoon.info•56 days ago

Back in the day the only way to use setTimeout was with a string acting as a delayed eval. IIRC function references were added later but string support was left in for backwards compatibility

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply