what are the issues javascript eval can pose

Question

i tried googling but didnt get a very specific answer.. then again, i might be not using the right keywords.. can someone point out the \"security\" issues javascript eval can c

Answer 1

eval() may be a sign of poor design. For instance, sometimes people use it to access object properties because they don't know you can use the [] notation, i.e., eval('obj.' + prop_name). It's also a source of XSS holes if you eval() user content, since it might be interpreted as JS. It also tends to be slower than the alternatives.

This would be the most basic example of XSS while using eval() to parse JSON:

eval({"a": "b", 'c': "d" + alert("xss") + ""})

To get a hole like this you would have to be lazy about building your JSON and not escape quotes, but there are more complex examples, and using a specialized library like Douglas Crockford's (json.org) one would avoid it.