Why is eval unsafe in javascript? [duplicate]

javascript

Possible Duplicate:
Why exactly is eval evil?

I read people claim that eval is unsafe when run on arbitrary user input code. I understand this in other languages that run on the server that access the filesystem, etc. However, why does this matter when executing code in a browser? After all, can't you just fire up Firebug and write any arbitrary script you want anyway? So then how is eval any different?


Solution 1:

The danger of eval only rears its ugly head when you are serving a script written by alice to user bob for bob's browser to eval.

e.g. if bob enters his password on your page, alice could have written a keylogger in the user input you evaled and arrange for the data to be encoded in a script that bob will (unknowingly) submit to be served to alice. This is, as @Hunter2 has suggested in the comments, an XSS attack.

If you are not serving to other people, you are correct in assuming it is equivalent to firing up firebug

Solution 2:

don't think it is unsafe, for the most paranoid execute eval = null;

Related

How can I determine whether Console.Out has been redirected to a file?
smtpclient " failure sending mail"
(-215:Assertion failed) !_src.empty() in function 'cv::cvtColor' with cv::imread
Numpy.Array in Python list?
Forward Declaration of variables/classes in std namespace
mysqli_connect(): (HY000/2002): No connection could be made because the target machine actively refused it
T-SQL - How to write a conditional join
How to set Content Type on HttpURLConnection?
PHP's preg_replace regex that matches multiple lines
Latex: How can I create nested lists which look this 1.1, 1.1.1, 1.1.2, 1.2
Shifting a column down by one
What real purpose does $.noop() serve in jQuery 1.4?