Answer 1. Using only the symbols you've listed, you can't make identifiers, so the only programs possible are arithmetic expressions. To answer the narrow question, the answer is no.
Yet Stack Overflow is read by many, and there are some closely related issue that would change the consequences in similar situations.
Answer 2. Answer 1 is best used when the code base is maintained by a single person who knows what they're doing. If someone came along later and wanted the user (say) to be able to symbolically reference a price elsewhere, now you have identifiers. If a later change were simply to add characters to a regex, because that's the simplest way to get it working, then you're at risk. While I am generally not a fan of language features that attempt to prevent stupidity, this is a particular way of writing code for a specific task that seems far too prone to bad modification.
Answer 3. The original reference implementation of the JSON parser actually uses eval()
, but it guards that statement with a JSON syntax verifier that ensures that the input is well-formed. It does this without a parser, but rather by some cleverly written regular expressions that recognize valid substrings and compact them. It's somewhat analogous to a reduce
operation in syntax-directed translation, but without actually evaluating the expression. In the present situation, a regex substitution such as /[0-9]+\+[0-9]+/0/
rewrites a primitive addition as 0
. Write one rule for each possible reduction, and put them all in a loop. The loop terminates when the initial string length is the same as that of the final string. The acceptance pattern after the rewrite would then be /[0-9]+/
, and usually just 0
.
Answer 4. Using a parser generator is often the best solution for this class of problems if there's any possibility that the kinds of expressions ever need identifiers. I wouldn't trust a regex rewriting system to be maintained correctly in such a case. Admittedly it seems like overkill for the question exactly as posed.
I recommend Answer 3 for production code.
Answer 2 Expansion. The biggest identifiable risk (a subset of all risks) is that you someone adds
$
to the accepted list of characters, because it's a price field, after all, and "users have complained".
$
is a valid identifier (frequently assigned as jQuery), but so is
$0
, and
$0()
is a valid function call. Although this is not a proximate risk, it
is a contributory one, say, if there's some other security defect that allows defining, but not calling, the property
window.$0
. Such code would be a security defect, even if it does not by itself lead to a security breach.