Many developers believe that JavaScript's eval()
method should be avoided. This idea makes sense from a design perspective. It is often used as an ugly workaround when a simpler, better option is available.
However, I do not understand the concerns about security vulnerabilities. Certainly, running eval()
gives the hacker the ability to run any JavaScript code that you can run.
But can't they do this anyway? In Chrome, at least, the Developer Tools allow the end-user to run their own JavaScript. How is eval()
more dangerous than the Developer Tools?