Security Risks of Using eval() in JavaScript



In this article, you will learn the security risks of using eval() in JavaScript.

What is eval()?

The eval() is a function that evaluates and executes the character string specified in the argument as JavaScript program code.

There are two types of functions themselves, one is a function provided by JavaScript from the beginning and the other is a self-made function.
The eval() is provided from the beginning in JavaScript.

How to use the eval()

Only strings can be specified as arguments of the eval().

The basic syntax is:


You can freely hand over the JavaScript code and operate it.

Below is a sample that specifies a character string and calculates it as JavaScript code.


var test=10;

The security risks of using eval()

The eval function has the following risks:

  • JavaScript programs prepared by a malicious third party are freely executed.
  • Processing speed will be slower than executing a normal JavaScript program.

For this reasons, it is common not to use the eval().
You can create most of the process without using the eval function.

The eval() is said to be “eval is evil”.
Therefore, be sure to fully understand the risks when using it.