Introduction

In JavaScript, the eval function evaluates a string as if it were JavaScript code. The return value is the result of the evaluated string, e.g. eval('2 + 2') returns 4.

eval is available in the global scope. The lexical scope of the evaluation is the local scope unless invoked indirectly (e.g. var geval = eval; geval(s);).

The use of eval is strongly discouraged. See the Remarks section for details.

Syntax

• eval(string);

Parameters

Parameter | Details | — | —| string | The JavaScript to be evaluated. |

Remarks

The use of eval is strongly discouraged; in many scenarios it presents a security vulnerability.

eval() is a dangerous function, which executes the code it’s passed with the privileges of the caller. If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user’s machine with the permissions of your webpage / extension. More importantly, third party code can see the scope in which eval() was invoked, which can lead to possible attacks in ways to which the similar Function is not susceptible.

[MDN JavaScript Reference](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#Don't_use_eval_needlessly!)

Additionally:

• Exploiting JavaScript’s eval() method
• What are the security issues with “eval()” in JavaScript?