When is JavaScript’s eval() not evil?

by

I’d like to take a moment to address the premise of your question – that eval() is “evil“. The word “evil“, as used by programming language people, usually means “dangerous”, or more precisely “able to cause lots of harm with a simple-looking command”. So, when is it OK to use something dangerous? When you know what the danger is, and when you’re taking the appropriate precautions.

To the point, let’s look at the dangers in the use of eval(). There are probably many small hidden dangers just like everything else, but the two big risks – the reason why eval() is considered evil – are performance and code injection.

  • Performance – eval() runs the interpreter/compiler. If your code is compiled, then this is a big hit, because you need to call a possibly-heavy compiler in the middle of run-time. However, JavaScript is still mostly an interpreted language, which means that calling eval() is not a big performance hit in the general case (but see my specific remarks below).
  • Code injection – eval() potentially runs a string of code under elevated privileges. For example, a program running as administrator/root would never want to eval() user input, because that input could potentially be “rm -rf /etc/important-file” or worse. Again, JavaScript in a browser doesn’t have that problem, because the program is running in the user’s own account anyway. Server-side JavaScript could have that problem.

On to your specific case. From what I understand, you’re generating the strings yourself, so assuming you’re careful not to allow a string like “rm -rf something-important” to be generated, there’s no code injection risk (but please remember, it’s very very hard to ensure this in the general case). Also, if you’re running in the browser then code injection is a pretty minor risk, I believe.

As for performance, you’ll have to weight that against ease of coding. It is my opinion that if you’re parsing the formula, you might as well compute the result during the parse rather than run another parser (the one inside eval()). But it may be easier to code using eval(), and the performance hit will probably be unnoticeable. It looks like eval() in this case is no more evil than any other function that could possibly save you some time.

More Related Contents:

  1. Why is using the JavaScript eval function a bad idea?
  2. Executing elements inserted with .innerHTML
  3. Convert a string to a template string
  4. Are eval() and new Function() the same thing?
  5. What’s the best way to convert a number to a string in JavaScript?
  6. Declaring multiple variables in JavaScript
  7. JavaScript: What dangers are in extending Array.prototype?
  8. style.display=’none’ doesn’t work on option tags in chrome, but it does in firefox
  9. Why does JavaScript’s eval need parentheses to eval JSON data?
  10. Is it possible to achieve dynamic scoping in JavaScript without resorting to eval?
  11. Why {} + {} is NaN only on the client side? Why not in Node.js?
  12. What does this “(function(){});”, a function inside brackets, mean in javascript? [duplicate]
  13. JavaScript braces on new line or not? [closed]
  14. Is Javascript eval() so dangerous? [duplicate]
  15. Specify scope for eval() in JavaScript?
  16. Is there a better way of writing v = (v == 0 ? 1 : 0); [closed]
  17. what does eval do and why its evil? [duplicate]
  18. Safely sandbox and execute user submitted JavaScript?
  19. Javascript document write overwriting page?
  20. setTimeout() with string or (anonymous) function reference? speedwise [closed]
  21. Accessing or creating nested JavaScript objects with string key without eval
  22. What are the Alternatives to eval in JavaScript?
  23. How to code a calculator in JavaScript without ‘eval’
  24. Context-preserving eval
  25. Are there any coding standards for JavaScript? [closed]
  26. Alternatives to JavaScript eval() for parsing JSON
  27. JavaScript style for optional callbacks
  28. JavaScript: inline functions vs predefined functions
  29. How can I programmatically copy all of the style attributes from one DOM element to another
  30. JQuery getJSON – ajax parseerror

Leave a Comment