Rich-Harris/devalue

Is using devalue with localStorage a bad idea?

btakita opened this issue · 2 comments

@DanielRuf Do you see any security risks with using devalue to save to localStorage & using (0,eval)(localStorage.getItem(myKey)) to evaluate the item from localStorage? I have not been able to track any literature on this using eval on a localStorage item, other than "don't use eval" for obvious reasons. For example, could an attacker somehow write malicious javascript to localStorage, which will be later be inadvertently executed from an app accessing & eval'ing the localStorage item?

It looks like indexedDB is well supported, so I'll use that instead. If you would like to answer, it would be interesting to know...

Not sure why I was mentioned here (I never worked on this project afaik) but to answer your question:

user-supplied input should never be completely / blindly trusted.

Any script running in the same context can manipulate the locally saved data. CSP and checks can help to prevent a few cases. But it does not prevent that a user or some other codes manipulates it which can lead to some interesting cases.

So far I do not see or understand the reason why you need eval here at all. If the data has to be in a specific format you could use JSON schema or some other structural validation approach.