Why is using the JavaScript eval function a bad idea?

by

  1. Improper use of eval opens up your
    code for injection attacks

  2. Debugging can be more challenging
    (no line numbers, etc.)

  3. eval’d code executes slower (no opportunity to compile/cache eval’d code)

Edit: As @Jeff Walden points out in comments, #3 is less true today than it was in 2008. However, while some caching of compiled scripts may happen this will only be limited to scripts that are eval’d repeated with no modification. A more likely scenario is that you are eval’ing scripts that have undergone slight modification each time and as such could not be cached. Let’s just say that SOME eval’d code executes more slowly.

More Related Contents:

  1. Is Javascript eval() so dangerous? [duplicate]
  2. Alternatives to JavaScript eval() for parsing JSON
  3. Exploiting JavaScript’s eval() method
  4. How to secure javascript code from being run on other domain (stolen) ? need more ideas
  5. Can we protect against SQL-injection by writing Javascript code correctly? how? [closed]
  6. Convert a string to a template string
  7. Are eval() and new Function() the same thing?
  8. AngularJS changes URLs to “unsafe:” in extension page
  9. How to prevent your JavaScript code from being stolen, copied, and viewed? [closed]
  10. Why does JavaScript’s eval need parentheses to eval JSON data?
  11. Is it possible to achieve dynamic scoping in JavaScript without resorting to eval?
  12. Why do people put code like “throw 1; ” and “for(;;);” in front of json responses? [duplicate]
  13. Unsafe JavaScript attempt to access frame in Google Chrome
  14. Specify scope for eval() in JavaScript?
  15. how to make sure only my own website (clientside code) can talk to Firebase backend?
  16. Secure distribution of NodeJS applications
  17. What are the AES parameters used and steps performed internally by crypto-js while encrypting a message with a password?
  18. what does eval do and why its evil? [duplicate]
  19. Safely sandbox and execute user submitted JavaScript?
  20. How to prevent direct access to my JSON service?
  21. Security Issues for allowing users to add own JavaScript to your site?
  22. How to prevent html/JavaScript code modification
  23. Accessing or creating nested JavaScript objects with string key without eval
  24. How to code a calculator in JavaScript without ‘eval’
  25. Why does Google prepend while(1); to their JSON responses?
  26. Web application access user’s file system
  27. How to secure the JavaScript API Access Token?
  28. What makes an input vulnerable to XSS?
  29. Javascript – key / certificate from USB Token
  30. Embedding youtube video “Refused to display document because display forbidden by X-Frame-Options”

Leave a Comment