Author:

Martin Lester

Title:

Transforming Eval to Staged Metaprogramming 

Abstract:

Static analysis of JavaScript code using eval is an important but
challenging problem concerning the security of Web applications. In recent
work, we have considered how to perform static analysis on code written
using a formalism called "staged metaprogramming", which captures the
construction, composition and execution of code templates. To apply our
work to JavaScript, we must also consider how to transform string-based eval
into template-based staged metaprogramming.

We outline an algorithm to automate this transformation. The "Boxing
Algorithm" is based on existing string analysis techniques and our static
analysis of staged metaprogramming. We combine these with a novel way of
adapting a language's parser to reason about the structure of code generated
at run-time.