Home/ Questions/Q 6350609
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T21:50:40+00:00

Mozilla’s Content Security Policy disallows the use of javascript eval function as well as

  • 0

Mozilla’s Content Security Policy disallows the use of javascript eval function as well as inline scripts. They claim that all instances of eval can be replaced by another (hopefully safer) function. I agree in most scenarios, Javascript eval can be replaced, but I’m not sure whether the replacement is possible for every case.

My question is twofold:

  1. Is there a generic way to replace every javascript eval function? (doesn’t have to be safe)
  2. Is there a case where the Javascript eval cannot be replaced?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The most common uses which can be substituted are the following ones. I would certainly use these first.

    1. Accessing dynamic properties

      Do use: obj[keyAsVariable]

      Don’t use eval('obj.' + keyAsVariable)

    2. Parsing JSON

      Do use JSON.parse(data)

      Don’t use eval('(' + data + ')')

    3. Calculating user input

      Do use a certain library

      Don’t use eval(input)

    If really necessary, you can also send the script to a server which simply echoes it back, and you can request it as a script tag. It won’t use eval but still execute it. It isn’t safe as it’s sent twice over the Internet.

    var s = document.createElement('script')
s.src = 'request_script?data=' + data;
document.getElementsByTagName('head')[0].appendChild(s);

    request_script could be a file implemented in PHP, like the following. Again, it’s bad practice but is a generic way of circumventing eval.

    <?
echo $_GET['data'];
?>

    You could say that this also automatically answers your second question with ‘no’.

    • 0