

eval(’foo=a’, obj.fn); How you aren’t private in Firefox - ajbatac
http://ajaxian.com/archives/evalfooa-objfn-how-you-arent-private-in-firefox

======
LogicHoleFlaw
Summary: eval('statement', fn) lets you evaluate that statement in the
environment context of fn. This includes access to the environment closed over
by the function.

------
yan
I am asking because I am honestly not sure, but why is this a big deal?

~~~
LogicHoleFlaw
One pattern in Javascript is to use closures to make variables "private" in
the sense that a limited set of functions can access them in a shared
environment. This particular use of eval() lets a third party evaluate its own
code in that same environment, thereby gaining access to those closed values.

Honestly I'm a little bit surprised by this myself. A lot of library writers
have assumed that those closed variables are not visible to users of their
libraries.

[Edit:] I'm not convinced that this is a negative thing. I'm a _lot_ more
worried about name collisions than perfect data hiding in a dynamic language.
If someone wants to jump hoops to alter my private data, let them.

~~~
yan
I understand the use of closures for data hiding, but why is it news that a
cute trick can get you access to the private members? If you dump whatever a
C++ object ptr is pointing to, you'll see its privates too.

I just don't see it as anything to be raising a fuss over.

~~~
timr
Do that in C++, and you'll be doing something extremely implementation-
defined, so it's kind of a different animal.

(That said, this is an implementation-specific detail, too.)

