Home/ Questions/Q 8010337
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T18:42:26+00:00

So the age old standard is that using Eval is bad because it can

  • 0

So the age old standard is that using Eval is bad because it can cause major security issues; especially in scenarios where you are evaluating something that potentially came from user input somewhere down the line. This makes 100% sense, and I have never had any problem avoiding the use of Eval. I was facing an odd situation recently, though, that sort of made me think about this type of thing a bit differently.

I wrote a JS function sort of like:

function someFun(param, callback) {
    bool = someOtherFun(param);
    if(bool)
        callback();
    else
        return false;
}

This is much stripped down, but the principal is the same: it calls another function and based on the return value of that will either execute a function provided as a parameter or it will return false. It made me think, though, that this sort of thing could be exploited just as easily as Eval(txtbox.value) with the use of the JS console in F12. Does that matter?

In this world of F12, it seems to me like Eval is the least of our worries. Anyone who knows what an injection attack is is likely to know what F12 is as well. Am I wrong?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    While you are correct that tools like F12 and firebug expose your JavaScript to a new level of scrutiny and make it easy for people to attack, you are missing the danger of using eval.

    Instead of worrying what a the current user (with the page loaded in the browser might do) lets concern our selves with their co-worked at the next computer. Suppose that co-worker types a comment on Stack Overflow, which is then stored in a database, and then sent out to our user’s computer to be displayed. And lets suppose that as part of that rendering process that comment is encoded into JSON and then eval is called on it.

    This is where there is a dangerous exploit waiting that has nothing to do with our user inspecting or executing their own JavaScript on the page. If their co-worker embedded malicious JavaScript in their comment and we call eval on it, that JavaScript may be executed causing that malicious code to run on every computer that views the page.

    That is why we should avoid using eval.

    • 0