How dangerous is the eval function in JavaScript on the client side? In addition, it is more difficult to debug it, I do not see flaws. As for other languages, the same Python or PHP is all there is clear.

  • 2
    Apart from the fact that it is potentially slower, it will allow to execute any code, and if you do not follow the origin of the string passed to eval, security holes are possible. - Vladimir Gamalyan
  • one
    What kind of security are we talking about? After all, the user can execute code in the console anyway. Or I do not understand something? - Node_pro
  • 3
    The code that is executed there is executed on behalf of the user. If this is malicious code, it can, for example, write a letter on behalf of the user (if we are in the context of the webmail client). - VladD
  • @Node_pro for example, some personal user data will go to the side. - Vladimir Gamalyan
  • 2
    @Node_pro can also be done through the console, but these are already explicit user actions, the malicious code itself will not open the console and will not launch itself there. - Vladimir Gamalyan

1 answer 1

  • eval requires compilation, every time it is called, because it slows down the script
  • A malicious script can find a way to pass an argument to eval and execute any malicious code WITHOUT the user's knowledge
  • eval is a bad approach. This is an official crutch, there is always a safer and more convenient way out. As in good literature, they usually write "If you use eval or goto , then you are doing something wrong"
  • eval inherits the context in which it is invoked, each time it is called
  • eval is trying to access all the variables it can reach, with all the consequences

In any case, eval 's biggest problem is the potential for security, the size of a universe. :) Do not keep track of everything.

  • the context inside an eval depends on the method of the call, it does not always inherit the current one - Grundy
  • If you use eval or goto, then you are doing something wrong - somehow too categorically - Grundy
  • At the expense of slowing down, without tests, nothing can be said either, and tests for different browsers - Grundy
  • @Grundy Where is it written? I read in the specifications that eval is always a bind of the current scoop, including in the new ES, no matter how it is called. - SlyDeath
  • one
    @Grundy Of course categorically. There are rules written in blood. If a programmer cannot write code without functions that are difficult to debug or that create a 99 percent risk of errors or security holes, then there is something wrong with this programmer. - SlyDeath