In JavaScript, the eval
function evaluates a string as if it were JavaScript code. The return value is the result of the evaluated string, e.g. eval('2 + 2')
returns 4
.
eval
is available in the global scope. The lexical scope of the evaluation is the local scope unless invoked indirectly (e.g. var geval = eval; geval(s);
).
The use of eval
is strongly discouraged. See the Remarks section for details.
Parameter | Details | — | —| string | The JavaScript to be evaluated. |
The use of eval
is strongly discouraged; in many scenarios it presents a security vulnerability.
eval() is a dangerous function, which executes the code it’s passed with the privileges of the caller. If you run eval() with a string that could be affected by a malicious party, you may end up running malicious code on the user’s machine with the permissions of your webpage / extension. More importantly, third party code can see the scope in which eval() was invoked, which can lead to possible attacks in ways to which the similar Function is not susceptible.
[MDN JavaScript Reference](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#Don't_use_eval_needlessly!)
Additionally: