CodeSOD: Evaluating Tax Burdens
Many years ago, Westie's employer got hired to help a client rebuild their tax advice website. The current version was... not in good shape, didn't provide a good user experience, and was incredibly unmaintainable. Westie's mission? Rewrite it from scratch.
As these projects go, however, the requirements were ill documented, and basically were "Uh, just make it do all the same things, but it shouldn't suck anymore."
Which meant Westie needed to use the existing site to understand what needed to be built. As a lark, Westie entered their income for the year as alert("Hello world") and oops! An alert box appeared when Westie hit submit.
Similarly, entering JavaScript code into many of the numeric input boxes was allowed, and also executed that code. It didn't take long to unpick what anti-pattern was in play here.
var total = eval(step1) + eval(step2) + eval(step3) + eval(step4) + eval(step5)
This was their approach to parsing inputs- they simply evaled it.
Westie writes: "My colleagues at work didn't even know that was possible." I suspect the knew that eval was possible- and they were just shocked that anyone would use it to parse user input.
[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!