¿Por qué existe eval ()?

Many programmers say it is a malos practice to use the eval() función:

¿Cuándo eval () de JavaScript no es malo?

I'd like to take a moment to address the premise of your question - that eval() is "evil"...

Is this eval() dangerous?

Buggy evaled code can violate security properties just as easily as buggy source code...

¿Por qué no eval () JSON?

There are a number of ways that your security may be compromised...

¿Alguna vez hay una buena razón para usar eval ()?

Yes - when there is no other way to accomplish the given task with a reasonable level of clarity... This eliminates 99% of cases where eval is used...

¿Por qué eval es inseguro en javascript?

The danger of eval only rears its ugly head when you are serving a script written by alice to user bob for bob's browser to eval...


So why does it exist in the first place?

preguntado el 01 de febrero de 12 a las 01:02

@JoelCoehoorn, to get to the other side? -

I came across your post for one of the reasons eval is still needed. Web Workers pass strings back to the main page. Eval(), and fn = new Function("// this code is parsed"), are the choices. Embedding a <script> tag is possible but readability is next to zero in the event of an error. Looking for alternatives ... this["alert"]("hello world") does work, assumes an existing function, thus better error readability. -

6 Respuestas

Because sometimes there is a need. All the same reasons for/against using eval in JavaScript can likely be shared with the use of reflection in Java, for example.

However, I agree with everything you quoted in your question. Many reasons for using it are ill-advised, and best done differently - but sometimes, there is still a need, or it is simply the "best choice" over other available alternatives. (I'd focus on the answers to ¿Alguna vez hay una buena razón para usar eval ()? for additional reasons.)

+1 to your question for good research.

contestado el 23 de mayo de 17 a las 14:05

Happily adding another +1 for the good research. The 99% of avoidable cases is true. The 1% - things like dean.edwards.name/packer - would have been crazy to write without it, though ;) - Chris Nash

@Chris Great of a valid use case. I was trying to find out if Firebug Lite usos eval for its JS control but got lost in their code. - milimosa

There's a recent research publication on the topic that you might be interested in. Their conclusion matches your intuition/experience. See my answer. - ewernli

eval() exists because sometimes you quieres to give complete programmatic control of your application to code passed in at run time.

Languages without an eval() feature can definitely provide (a subset? all?) of this functionality by asking each programmer to essentially write their es dueño eval() -- lex the input, parse the input, create new objects as necessary, run methods or functions on them via simple string comparisons or similar. In essence, duplicate the entire interpreter that already exists and is debugged and fast.

Respondido 01 Feb 12, 05:02

Eval is actually a powerful feature and there are some things that are imposible to do without it. For example:

  1. Evaluate code received from a remote server. (Say you want to make a site that can be remotely controlled by sending JavaScript code to it?)
  2. Evaluate user-written code. Without eval, you can't program, for example, an online editor/REPL.
  3. Creating functions of arbitrary length dynamically (function.length is readonly, so the only way is using eval).
  4. Loading a script and returning it's value. If your script is, for example, a self-calling function, and you want to evaluate it and get it's result (eg: my_result = get_script_result("foo.js")), the only way of programming the function get_script_result is by using eval inside it.
  5. Re-creating a function in a different closure.

And anything else you'd want to do that involves creating code on the fly.

The reason it is considered "evil" is because it's classicaly used by novices to do things that the language can handle natively. For example, the code below:

age_of_erick = 34;
age_of_john = 21;
person = "erick";
eval("console.log('age_of_"+person+"')");

And the code below:

age = {erick:34, john:21};
person = "erick";
console.log(age["erick"]);

Both do the same thing, except one parses a string, generates code from it, compiles into machine code and then runs, mientras que el otro reads a value from a hash, which is a lot faster.

Respondido 13 Feb 14, 22:02

There's a research publication exacty on this topic:

La Eval That Men Do -- A Large-scale Study of the Use of Eval in JavaScript Applications
Mirror on Wayback Machine

It is to me the most comprehensive answer to this question to date.

Quote from the abstract:

We have recorded the behavior of 337 MB of strings given as arguments to 550,358 calls to the eval function exercised in over 10,000 web sites.

Amongst other, they identified 9 categories of recurring eval:

  1. JSON - A JSON string or variant.
  2. JSONP - A padded JSON string.
  3. Library -One or more function definitions.
  4. Read - Read access to an object’s property.
  5. Assign - Assignment to a local variable or object property.
  6. Typeof - Type test expression.
  7. Try - Trivial try/catch block.
  8. Call - Simple function/method call.
  9. Empty - Empty or blank string.

A snippet from the conclusion (which is too long to be quoted entierly):

[...] While many uses eval were legitimate, many were unnecessary and could be replaced with equivalent and safer code. We started this work with the hope that it would show that eval can be replaced by other features. Unfortunately our data does not support this conclusion.[...]

A paper well worth reading.

Respondido 11 ago 15, 20:08

La eval() feature is like scissors. You're an adult, it's your responsibility to not run with them.

I've seen the design philosophy of dynamic languages (like JavaScript) summarised as preferring to enable smart people to do clever things above trying to prevent stupid people from doing silly things. (Unfortunately I can't recall the original source or phrasing.)

If you're worried about introducing bugs with eval, you can use Modo estricto. It seems to prevent some of the problems with how the feature is designed. (That is, as a "magic" function allowed to clobber your namespace.)

Respondido 01 Feb 12, 05:02

Eval exists to simplify tasks in JavaScript. You can use it evaluate multiple statements. Instead of having to find another way you can use eval to do such things. Even though it is discouraged it has considerable power and use.

Respondido 11 ago 15, 20:08

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.