Good time. I started to parse the code of my site and found a couple of js files using eval. All operations use this design.

textJoin=rezultAjax; answer=eval('('+textJoin+')'); if (answer.error.code==1) { alert (answer.error.text); return; }

that is, an ajax request is sent (for example: feedback on the site) and the result is processed by this eval and, if the code is 1, then the request has passed with an error and an alert is sent.

question : in this case, are these evals in js dangerous? - If so, what exactly?

  • To look at all the processing of the ajax request and the methods for calling it. And so, if these are local variables, then most likely there is nothing to be afraid of, because they cannot be accessed from outside, which means it cannot be used for personal gain - ThisMan
  • 2
    so that eval can execute any code that it received. Therefore, to use it, you need to be sure of who is sending the answer, and that the answer will do no more than what you expect. Apparently, it is possible that this code with eval can be replaced simply with JSON.parse - Grundy

0