Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am building an application where I load scripts on the go:
var newScript=document.createElement("script");
newScript.src="script.js";
document.head.appendChild(newScript);
The scripts are in the same domain, so rather than using a script tag I am considering using ajax+eval as it gives me more flexibility (in particular to synchronize with other scripts). Are both options equivalent, or is there any additional risk when using eval?
With regards to risk, both are equivalent.
Both methods execute the downloaded script blindly (without checking). The only difference is that you can’t execute script from other domains with ajax.
On the other hand, by downloading the script as text before evaling it you have the chance to run some text processing on it such as checking for known malicious attacks, linting it etc. So you could, in theory, build a secure and/or restricted execution environment by using ajax+eval. But figuring out what is malicious and what is benign is not easy.