Why eval() is evil?

I just saw a youtube content about the eval() function and read some stuffs about eval() in google. I can see eval() is pretty useful to use evaluate strings to js code. But they say that using eval() is "evil" and dangerous and I don't get it why.

11/7/2019 6:11:59 AM

SPICEAPPLE 🍎 // Busy :<

6 Answers

New Answer


eval() function evaluates codes passed to it as an arguement, for example eval("alert('hello')") Would alert('hello'), since alert("hello") is not malicious, an attacker who knows more about wrtiting malicious code can replace alert("hello") with something else causing damages to the website.


Eval is considered risky and harmful. It is slow, and can contain malicious code like infinite loops, XSS(cross site scripting) attacks etc. It should be never used or only in very specific secured applications. Personally I disable it in Content-Security-Policy(CSP) so it is not possible to use it. https://en.wikipedia.org/wiki/Content_Security_Policy


https://www.sololearn.com/post/97586/?ref=app https://code.sololearn.com/WKKkpq0efxai/?ref=app


SPICEAPPLE 🍎 // (=UwU=) you don't have to diasable it, it's only seems to be vulnerable if you're using it to accept input


Michal Straka Mirielle🐶 [Inactive] thank youuu uwu. maybe i should disable that


Mirielle🐶 [Inactive] oh. i thought it can be disabled. But thanks again uwu