-
Notifications
You must be signed in to change notification settings - Fork 195
Use Function Objects for deserialization, instead of eval#159
Use Function Objects for deserialization, instead of eval #159tornikeshavishvili wants to merge 1 commit intoyahoo:main from
Conversation
okuryu
commented
Jan 23, 2023
As noted in the description, deserialization is not a use case for this module.
https://github.com/yahoo/serialize-javascript#deserializing
tornikeshavishvili
commented
Jan 23, 2023
As noted in the description, deserialization is not a use case for this module. https://github.com/yahoo/serialize-javascript#deserializing
At least the provided example using eval would be nice to have been changed with Function objects.
BUT . . .
Yes noted but not backed with arguments and we humbly disagree. Why is this case? We are loading users with task to implement deserialization, which should not be the case, because it shifts their attention and energy from whatever they are doing to the task that could have been provided by this module. This is very uncomfortable from a lot of viewpoints.
okuryu
commented
Jan 24, 2023
If you have a better way to deserialization, please update the example and suggest it instead of changing the code.
tornikeshavishvili
commented
Jan 25, 2023
If you have a better way to deserialization, please update the example and suggest it instead of changing the code.
If you agree that deserialization with Function objects is better, then i will commit readme :|
okuryu
commented
Jan 27, 2023
It depends on what perspective is better. My understanding is that neither eval() nor new Function() is necessarily safe. There are security risks in both. If you use them, it is a prerequisite that you know what data is passed to them.
I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.