eval(’foo=a’, obj.fn); How you aren’t private in Firefox
Date : 2008 06 27 Category : Tech & Development
AjaxianPeter Michaux has found the magical eval(..., context) method available in the Firefox implementation. This means that you can't create truly private data:
PLAIN TEXT JAVASCRIPT:// Getting "private" variables var obj = (function() { var a = 21; return { // public function must reference 'a' fn: function() {a;} }; })(); var foo; eval('foo=a', obj.fn); console.log(foo); // 21 // Setting "private" variables var obj = (function() { var a = 21; return { getA: function(){return a;}, alertA: function(){alert(a);} }; })(); console.log(obj.getA()); //21 eval('a=3', obj.getA); console.log(obj.getA()); // 3 obj.alertA(); // 3
Of course, this is the way of dynamic languages and there is still value:
This use of the eval, however, doesn't make the module pattern useless. Its primary benefits are modularizing code so similarly named variables are not colliding and protects you or other developers from accidentally violating a programming interface. The module pattern also makes it possible to do OOP-like things without using keywords new, this and prototype which generally makes code more robust.
So the module pattern is still good. It just doesn't provide any security in a major browser.