0

We've been advised to never use eval() for security reasons. Now that I've been building a calculator, and solving mathematical expressions is a big part of my project. I do have a function that check if the expression is mathematical expression before evaluating it, otherwise there should be an error to be thrown. Also, I want to mention that all the data should be coming from clicked button(s) just like TI-84 Plus calculator, which means the user inputs are kind of limited. Everything is working fine, but I'm just worried if I should apply another mechanism to approach this issue. The reason I decide to use this math.js library is because this project was not supposed to be a big one or any complicated one at all. I did read about this security docs from math.js docs page https://mathjs.org/examples/advanced/more_secure_eval.js.html, and it seems like we are only recommended to not use it on the server side. Big thanks in advance!

jbz
  • 3
  • 3
  • 1
    It feels like you're asking about a homework project (in which case they'll almost certainly want you implement the maths parts yourself, depending on the course and part of the course this is homework for): are you? – Mike 'Pomax' Kamermans Jul 14 '21 at 03:51
  • No sir, it's not a homework, I'm not in school this summer. I was just replicating a IT-84 calculator to add to my portfolio as I've very old projects. So part of the deal. The project is kinda done, I just want to make sure I'm doing it the secure way. – jbz Jul 14 '21 at 04:32
  • then you'll want to update your post to be structured differently: is it just a web page or is it backed by a server? Also, since all operations are based on buttons, you have a limited operation tree, with each button very clearly mapping to operations, there shouldn't be a need for math.js's parser evaluation at all here (and probably, no need for math.js even, you have a running "input" that starts empty and only gets updated by button presses, if you've done this right, there's never a string anywhere in your code except for your "input log" – Mike 'Pomax' Kamermans Jul 14 '21 at 14:27
  • I tried to subdivide the app into as many different small sub-components as I could in order to keep truck of everything. I had to use state lifting up react approach; even when everything was moving to playground component view for evaluation, I was still unable to solve mathematical string expression such as: "9 sin(34) + e^2" without having to loop through each string and try to find which one contains trigonometric expression or anything related, and fortunately this library came handy because it does PERFECTLY what might have taken me countless hours, or days. Yes, it's react web app, sir – jbz Jul 14 '21 at 22:04
  • If it solves your problem, and you have no professional mandate to enforce the most secure solution, as a portfolio app you're done. If you wanted to _actually_ implement a calculator, you'd have your buttons mapped to operators in an expression tree which you'd then resolve bottom-up (a fairly common exercise, _lots_ of tutorials about that on the web) – Mike 'Pomax' Kamermans Jul 14 '21 at 22:43
  • Thank you, @Mike'Pomax'Kamermans – jbz Jul 15 '21 at 05:06

0 Answers0