JavaScript: eval() function

Last update on August 19 2022 21:51:08 (UTC/GMT +8 hours)

Description

The eval function is used to execute JavaScript source code.

Syntax

eval(expr)

Parameters

expr:
The expr is a string represent a JavaScript expression, statement, or sequence of statements. The expression can include variables and properties of existing objects. We should not call eval to evaluate an arithmetic expression ( 5 * 9 + 5-4) as JavaScript evaluates arithmetic expressions automatically. Note that the parameter expr argument is optional. If there is no argument, eval returned, "undefined".

Do not use eval()

eval() is sluggish and prone to security threats, and thus not recommended to be used. Here are why it is said so:

i) Code passed to the eval is executed with the privileges of the executor. So, if the code passed can be affected by some malicious intentions, it leads to running malicious code on a user's machine with your website's privileges.

ii) A malicious code can understand the scope with which the code passed to the eval was called. Which in turn, may raise security threats.

iii) eval has to call the JS Interpreter, thus making it sluggish.

There are a number of alternatives to eval() available.

Example -1 of eval() funciton

The following example shows how to use eval() function.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title>JavaScript: eval function example-1</title>
</head>
<body>
<h1 style="color: red">JavaScript  eval() function example-1</h1>
<hr />
<script type="text/javascript">
//This is done to make the following JavaScript code compatible to XHTML. <![CDATA[
eval("language = 78; math = 89;  science=90; document.write('Total marks : '+(language + math + science));");
//]]>
</script>
</body>
</html>

View the example in the browser

Example -2 of eval() funciton

Here is an another example of an eval() function.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<title>JavaScript: eval function example-2</title>
</head>
<body>
<h1 style="color: red">JavaScript  eval() function example-2</h1>
<hr />
<script type="text/javascript">
//This is done to make the following JavaScript code compatible to XHTML. <![CDATA[
var x = "alert ('We are learning JavaScript eval() function.')";
eval (x);
//]]>
</script>
</body>
</html>

View the example in the browser

Alternatives to eval

Instead of using eval to convert property names into properties, use the member operators.

Code not recommended:

var letters = { a: apple, b: banana };

var lettername = getPropName(); //returns "a" or "b"

eval( "var display = letters." + propname );

Code recommended:

var letters = { a: apple, b: banana };

var lettername = getPropName(); //returns "a" or "b"

var display= letters[ propname ]; // letters[ "a" ] is the same as letters.a

Use functions instead of evaluating piece of code

Use json.strngify and JSON.parse instead of using evals

You may click here to view a detailed discussion.

Pass data instead of code

To scrape data from saya webpage, using XPATH instead of JavaScript Code.

Maintain Cross-implementation compatibility

Don't use a second argument in eval. It is not supported in all modern browsers.

Execute code with limited privileges

If at all you are running code with eval, reduce privilege. This is though may not be implemented in many applications. Some use case may be implementing it in XUL - a Mozilla's front-end architecture.

Previous: JavaScript: Function
Next: JavaScript isFinite() function