bcx-expression-evaluator
Advanced tools
Safely evaluate a JavaScript like expression in given context.
Safely evaluate a JavaScript-like expression in given context.
In Buttonwood, we heavily use meta-data (JSON format) to deliver business logic from backend to front-end. We don't want to design a meta-data format too complex to maintain, this tool allows us to define some light logic in pure string, way more flexible than rigid meta-data, much safer and more maintainable than passing js function as string (we did that) from backend to front-end.
This tool was mainly extracted, modified and extended from the expression parser of aurelia-binding.
npm install --save bcx-expression-evaluator
function evaluate(expression, context, helper, opts)
expression: the expression string to be evaluatedcontext: the input model objecthelper: optional helper objectopts: optional hashmap, currently only support rejectAssignment and stringInterpolationMode
rejectAssignment rejects assignment in expressionstringInterpolationMode treats the whole expression like if it's in backticks `expression`function evaluateStringInterpolation is a short-cut to call evaluate with stringInterpolationMode option.
import {evaluate, evaluateStringInterpolation} from 'bcx-expression-evaluator';
const context = {
a: 1,
b: 2,
c: {
one: 'one',
two: 'two'
},
avg: function() { return (this.a + this.b) / 2; }
};
evaluate('avg() > a ? c.one : c.two', context); // => 'one';
const helper = {
limit: 5,
sum: (v1, v2) => v1 + v2
};
evaluate('sum(a, b) > limit', context, helper); // => false;
$this variableevaluate('$this', context); // => the context object
evaluate('$this.a', context); // => 1
$parent variable(carried over from aurelia-binding, might change $parent to $helper in future releases.)
evaluate('a', {a:1}, {a:2}); // => 1
evaluate('$this.a', {a:1}, {a:2}); // => 1
evaluate('$parent.a', {a:1}, {a:2}); // => 2
evaluate('`${a+1}`', {a:1}); // => '2'
You can evaluate a string interpolation without backtick "`"
evaluate('${a+1}', {a:1}, null, {stringInterpolationMode: true}); // => '2'
evaluateStringInterpolation('${a+1}', {a:1}); // => '2'
You don't have to escape backtick in stringInterpolationMode
evaluate('`\\`${a+1}\\``', {a:1}); // => '`2`', beware you need double escape as we are writing expression in string quotes
evaluate('`${a+1}`', {a:1}, null, {stringInterpolationMode: true}); // => '`2`'
evaluateStringInterpolation('`${a+1}`', {a:1}); // => '`2`'
evaluate('parseInt(a, 10)', {a:"7"}) // => undefined
// only have access to context and helper
evaluate('parseInt(a, 10)', {a:"7"}, {parseInt: parseInt}) // => 7
evaluate('a.b', {}) // => undefined, no error thrown
evaluate('a.b || c', {c: 'lorem'}) // => 'lorem', no error thrown
let obj = {a: 1, b: 2};
evaluate('a = 3', obj); // obj is now {a: 3, b: 2}
evaluate('b > 3 ? (a = true) : (a = false)', obj); // obj is now {a: false, b: 2}
This doesn't eliminate side effect, it would not prevent any function you called in bcx-expression to mutate something.
evaluate('a=1', {a:0}, null, {rejectAssignment: true}); // throws error
bcx-expression looks like JavaScript expression, but there are some difference.
let obj = {a: 1};
obj.b.a // => error
evaluate('b.a', obj); // => undefined
Behaviour carried over from aurelia-binding.
// +/- behaviour in normal JavaScript expression
undefined + 1 // => NaN
1 + undefined // => NaN
null + 1 // => 1
1 + null // => 1
undefined + undefined // => NaN
null + null // => 0
// in bcx-expression, + and - ignores undefined/null value,
// if both left and right parts are (evaluated to) undefined/null, result default to 0
evaluate('undefined + 1'); // => 1
evaluate('1 + undefined'); // => 1
evaluate('null + 1'); // => 1
evaluate('1 + null'); // => 1
evaluate('undefined + undefined'); // => 0
evaluate('null + null'); // => 0
// all following JavaScript expressions would not work in bcx-expression
(function(){return 1})()
(() => 1)()
arr.sort((a, b) => a > b)
// but this would work
arr.sort(aHelperFunc)
Regex syntax is too complex to be supported for our AST (abstract syntax tree).
// regex literal would not work in bcx-expression.
/\w/.test(string)
One way to bypass this is to supply regex literal in helper object.
evaluate('tester.test(str)', {str: '%'}, {tester: /\w/});
typeof, instanceof, delete would not work, because bcx-expression is not real JavaScript.
FAQs
Safely evaluate a JavaScript like expression in given context.
The npm package bcx-expression-evaluator receives a total of 1,520 weekly downloads. As such, bcx-expression-evaluator popularity was classified as popular.
We found that bcx-expression-evaluator demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
Security News
PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.