Is JavaScript eval really evil?

You may have heard this before: “eval is evil”. But is it really? And if so, why is it?

I’ll start with a quote:

“The eval function and its relatives (Function, setTimeout, and setInterval) provide access to the JavaScript compiler. This is sometimes useful, but in most cases it indicates the presence of extremely bad coding. The eval function is the most misused feature of JavaScript.” – Doug Crockford, “JavaScript: The Good Parts”

The eval method takes a string containing JavaScript code, compiles it, and then runs it. This one sentence might be enough for you to avoid it when you don’t need it. The compiler will use system resources, such as memory and cpu that will affect your application. If you can achieve the same logic without eval, your application will run faster, so why use it?  Then again, if your application is already screaming fast, a little delay from the JavaScript compiler should be no big deal. IMHO, this does not make eval evil.

Since the eval method executes script, you have to be more careful about user supplied data that may end up in an eval statement. Suppose you have an input field whose value is saved to the database, and that value is later used in an eval call. This code injection could certainly cause all sorts of serious problems for an end user. This is evil, but the real evil is the code injection vulnerability, not eval itself. If you use techniques to prevent such code from getting into your eval statement in the first place, you shouldn’t have to avoid eval for user supplied data. IMHO, this does not make eval evil, but is a good reason to avoid it when you can.

The most practical use of eval in the recent past has been for the parsing of JSON-formatted data when retrieving data via Ajax, but native JSON support is now available in all modern browsers as of the ECMAScript Language Specification, 5th Edition in Dec. 2009. If eval() is needed for JSON parsing, then in browsers that support it, JSON.parse() should be used. This means that eval for JSON parsing is only needed for older browsers.

Browsers that support the built in JSON Object and Grammar (reference):

  • Firefox 3.5+
  • Internet Explorer 8+
  • Opera 10.5+
  • Chrome
  • Safari

So my feeling on the subject: avoid eval when what you’re trying to achieve can be done without it. You can avoid performance degradation and reduce the risk of code injection security issues, and unless you need to support an old browser like IE7, you don’t need it for JSON.

Back to the quote… I agree that eval is often misused and often in the context of bad coding (I’ve seen a lot of it), but if you know what you’re doing, then your code should be in the “sometimes useful” bucket, and that certainly is not evil.

More References:

This entry was posted in JavaScript, Web Development. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s