You'll have to explain this one. Why do you need to use eval()?

eval() is no more or less dangerous or insecure than a SQL query string.

The problem is NOT the command, it's what people put into it. If you sanitize any user-generated variables being plugged into it, there is no risk!

The PROBLEM is that people just slop whatever they want to process with it into there any-old-way. 99% of the time one regex and any potential 'issues' goes away.

Not using something because other people are too stupid to use it properly is just plain dumb!

See "with". (and how 'use strict' kills it off)

Matt Strom eval() can be used in various situations. Just last week, I used it in order to execute script tags in HTML partials, which I received from my server and had to insert into the page using innerHTML. innerHTML does not execute script tags for XSS reasons since HTML5, which is useful in general, but has to be worked around when using static dynamic content from a source which I control and which is served via TLS.

Alternatively, I could have created a new script tag and appended it to the DOM, however that's a lot more work for a simple task imho.

Marco Alka

execute script tags

Something I wouldn't do...

innerHTML

Something I wouldn't do.

HTML partials

Something that shouldn't exist.

Those three things are really troubling in concept.

static dynamic content

The what now?!? Which is it, static or dynamic? Or is this like the Doctor reversing the polarity of the neutron flow?

I find it disturbing how often folks when doing things like AJAX will slop markup into the response to innerHTML it in. 20 years of good practices and sound advice down the drain.

Alternatively, I could have created a new script tag and appended it to the DOM

Better but...

Alternatively, I could have created a new script tag and appended it to the DOM, however that's a lot more work for a simple task imho.

Three lines of code is a "lot more work"?

NOT that your solution would work on any secure system anyways, since ALL scripting inside a <script> tag is blocked under the CSP if you're using that.

The content security policy is a great way to make people using JavaScript in wrong and insecure ways cry in their beers. "Wah wah, but I wanna" -- well tough! Doesn't work anymore.

Jason Knight there will always be requirements people can't do anything about. I wouldn't do partials, either, but I have to, and they are HTML, so innerHTML is the way to go, and they do contain scripts. Tell me a better way to handle partials, and I will gladly change my code :)