What you describe does not prevent a hostile client from sending arbitrary code to be executed. It is a security hole.
If you want to have client code trigger some functions on the server, then pass some data that your server will parse and check to make sure that only the appropriate code is executed. It could be a JSON structure like this that the client sends:
{
"name": "foo",
"arguments": ["a", "b", "c"]
}
When the server receives it and parses it with JSON.parse
, it verifies that name
is a valid value and invokes the corresponding function. The functions could be in a structure like this
var dispatch = {
foo: function (a, b, c) { },
bar: function (a) { }
// etc...
}
And once the JSON data is parsed and stored into a variable named data
(for instance), the invocation could be:
dispatch[data.name].apply(undefined, data.arguments)
If needed return data could also be returned to the client as a JSON structure.