Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Possible Duplicate:
When is JavaScript's eval() not evil?
I was wondering,
besides Eval activates the interpreter again, causing overhead,
the only situation in which it can be bad (except what I’ve just written), is when JS sends data (which is eval'd) to server.
I don’t see any other scenario, if a user wants to play with the js, he will play only in his browser boundaries (unless JS is interacting with Server).
Am I right?
I’d be happy for corrections.
Strictly speaking, there is nothing actually, phsyically harmful in using
eval, because it does nothing more than what the browser’s console can already do.There is a potential danger of injection, but that’s the same risk as putting any user-supplied input into a
<script>tag, not a particularity ofeval.The main reason to avoid
evalis because it has to interpret a string. Now, to be fair, just running a JavaScript file is basically the same as calling a great bigevalover the whole file (broadly speaking), because JavaScript is interpreted (or at most compiled at run-time). Therefore, usingevalsparsely, where it only gets run, say, when a user clicks on a button, is fine. Noticeable effects will only appear if you end up withevalrunning frequently, such as in a loop. This is why people will always tell you to pass a function tosetTimeoutinstead of a string, for instance.That said, there is always an alternative to using
eval. It may require rewriting parts of older code, but it’s always avoidable.