267

How do I execute some JavaScript that is a string?

function ExecuteJavascriptString()
{
    var s = "alert('hello')";
    // how do I get a browser to alert('hello')?
}
Improve this question
0

22 Answers 22

Reset to default
340

With the eval function, like:

eval("my script here");

But please heed the warning message from the MDN page:

Warning: Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval(). [...]

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Be carefull ! This gonna execute the code therefore be careful of where/how you got this string. Mind that anyone may try to insert malicious code inside your string.
@divinci This is called "Cross Site Scripting". See here: en.wikipedia.org/wiki/Cross-site_scripting.
Make sure that the code inside eval is syntactically correct, as you will get a SyntaxError when running eval("my script here");.
188

You can execute it using a function. Example:

var theInstructions = "alert('Hello World'); var x = 100";

var F=new Function (theInstructions);

return(F());
Improve this answer

12 Comments

but in the end - isn't that the same as calling var F=function(){eval(theInstructions);};?
yes and no: with eval code would be also executed, while with Function() code isn't executed until F() (use case? check for syntax error but don't want to execute the code)
@stefan It's beatifull... new Function("alert('Hello World');")()
I tried this inside a try/catch block, and it works perfectly. I can now take any JavaScript code typed into a text block, pass it to my function, and execute it. The catch block can then insert error messages from the JavaScript engine into a DOM element and display any errors in the code. If someone wants the function I wrote, then once I've tidied it up, I can post it here.
@DavidEdwards Would be awesome if you still have it and post it.
|
72

The eval function will evaluate a string that is passed to it.

But the use of eval is super dangerous AND slow, so use with caution.

Improve this answer

9 Comments

super dangerous AND slow - you should bold, italic, underline, and h1 that
I'm doubtful that it's any slower than loading JavaScript anywhere else on the page, that has to be parsed as well. If it's slower, it it's because it's done in a different scope, which might force to creation of resources for that scope.
If you say eval() is dangerous. Is there any alternative?
@coobird I know this is a little late but why is that dangerous? The user can easily run JavaScript code on your website using the console.
if your security depends at all on client-side javascript, you've screwed up big time and it has nothing to do with eval.
|
43

For users that are using node and that are concerned with the context implications of eval() nodejs offers vm. It creates a V8 virtual machine that can sandbox the execution of your code in a separate context.

Taking things a step further is vm2 which hardens vm allowing the vm to run untrusted code.

const vm = require('vm');

const x = 1;

const sandbox = { x: 2 };
vm.createContext(sandbox); // Contextify the sandbox.

const code = 'x += 40; var y = 17;';
// `x` and `y` are global variables in the sandboxed environment.
// Initially, x has the value 2 because that is the value of sandbox.x.
vm.runInContext(code, sandbox);

console.log(sandbox.x); // 42
console.log(sandbox.y); // 17

console.log(x); // 1; y is not defined.
Improve this answer

3 Comments

Rather than saying "eval is evil" and giving no context or solution, this actually tries to solve the issue. +1 for you
What happens if the code is trying to delete or create a file for instance?
@SteveMoretz Honestly, its been a while since I was using this, I'm not sure.
23

Try this:

  var script = "<script type='text/javascript'> content </script>";
  //using jquery next
  $('body').append(script);//incorporates and executes inmediatelly

Personally, I didn't test it but seems to work.

Improve this answer

2 Comments

You forgot escaping closing > in script: var script = "<script type=\"text/javascript\"> content </script\>";
Why do you need to escape the closing > ?
22

Use eval().

W3 Schools tour of eval. Site has some usable examples of eval. The Mozilla documentation covers this in detail.

You will probably get a lot of warnings about using this safely. do NOT allow users to inject ANYTHING into eval() as it is a huge security issue.

You'll also want to know that eval() has a different scope.

Improve this answer

5 Comments

w3fools.com. The W3C doesn't even have anything to say about eval. If you want to link to something official, target ecma-international.org/ecma-262/5.1/#sec-15.1.2.1
I didn't want to "link to anything official, I wanted to link to something readable - Looking at what you linked, it gives no explanation of how it is used, no examples, no way to tinker, and describes the method in isolation. For a beginner, it is a completely inappropriate link. Hey, you wouldn't happen to be @bjorninge, would you?
The spec describes eval better to me than that W3Schools article. Something readable with good explanation and examples would be developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/…. And no, I'm not bjorninge
I will agree that it's not documentation, and I will agree that mozilla's page is a better overall picture of it. Slightly tweaked my answer based on feedback
Regarding that ecma-international.org link, I would describe it as readable and appreciable by everyone with more than 15 minutes experience with JS. It's very nice.
21 
new Function('alert("Hello")')();

I think this is the best way.

Improve this answer

5 Comments

Why do you think it is the best way?
@ggorlen Because it's the most succinct.
Works great! But fails when i try to put into a function: function evil(sCmd){ new Function(sCmd))() }
@johnywhy Is it? eval('alert("Hello")') seems clearly more succinct, so there should be some other reason given as to why this is better than eval. I'm asking OP to explain their post, in any case.
It's the most succinct alternative to eval, which is generally regarded as unsafe, as explained in most answers here.
17

A bit like what @Hossein Hajizadeh alerady said, though in more detail:

There is an alternative to eval().

The function setTimeout() is designed to execute something after an interval of milliseconds, and the code to be executed just so happens to be formatted as a string.

It would work like this:

ExecuteJavascriptString(); //Just for running it

function ExecuteJavascriptString()
{
    var s = "alert('hello')";
    setTimeout(s, 1);
}

1 means it will wait 1 millisecond before executing the string.

It might not be the most correct way to do it, but it works.

Improve this answer

2 Comments

Why waste one millisecond when you can pass 0 (zero) to setTimeout? Note that in any case it will make the execution asynchronous. It means that all code that follows the setTimeout call will be invoked before the code passed to setTimeout (even if called with 0 (zero)).
🤷‍♀️ just thought it better explained how setTimeout works
9

Checked this on many complex and obfuscated scripts:

var js = "alert('Hello, World!');" // put your JS code here
var oScript = document.createElement("script");
var oScriptText = document.createTextNode(js);
oScript.appendChild(oScriptText);
document.body.appendChild(oScript);
Improve this answer

2 Comments

That only works in the browser though js runs in many environments
The OP asked about browser JS.
7

Use eval as below. Eval should be used with caution, a simple search about "eval is evil" should throw some pointers.

function ExecuteJavascriptString()
{
    var s = "alert('hello')";
    eval(s);
}
Improve this answer

1 Comment

Good tip on that a simple search about "eval is evil" Thanks!
7

New Function and apply() together works also

var a=new Function('alert(1);')
a.apply(null)
Improve this answer

3 Comments

This is better than eval(). developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/…
can you use apply without the varialbe? The following fails: ("new Function('alert(1);')").apply
@johnywhy You need the parameter, it's mandatory as scope developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/…
7

If you want to execute a specific command (that is string) after a specific time - cmd=your code - InterVal=delay to run

 function ExecStr(cmd, InterVal) {
    try {
        setTimeout(function () {
            var F = new Function(cmd);
            return (F());
        }, InterVal);
    } catch (e) { }
}
//sample
ExecStr("alert(20)",500);
Improve this answer

3 Comments

@SteelBrain add a sample run by ExecStr("alert(20)",500);
Why is Val in InterVal capitalized?
InterVal is used as an argument, that's why it's capitalized.
5

I was answering similar question and got yet another idea how to achieve this without use of eval():

const source = "alert('test')";
const el = document.createElement("script");
el.src = URL.createObjectURL(new Blob([source], { type: 'text/javascript' }));
document.head.appendChild(el);

In the code above you basically create Blob, containing your script, in order to create Object URL (representation of File or Blob object in browser memory). Since you have src property on <script> tag, the script will be executed the same way as if it was loaded from any other URL.

Improve this answer

Comments

4 
eval(s);

But this can be dangerous if you are taking data from users, although I suppose if they crash their own browser thats their problem.

Improve this answer

4 Comments

exactly. Eval is dangerous on the server side. On the client... not so much. The user could just type in javascript:someevilcode in to the address of the browser and boom. Eval right there.
@EsbenSkovPedersen That's prevented in chrome at least, and it requires user action, as opposed to a site that evals code from users, which could for instance let users steal other user's accounts without them knowing just by loading the page.
@1j01 To be fair my comment is five years old.
@EsbenSkovPedersen That's true :)
4 
function executeScript(source) {
    var script = document.createElement("script");
    script.onload = script.onerror = function(){ this.remove(); };
    script.src = "data:text/plain;base64," + btoa(source);
    document.body.appendChild(script);
}

executeScript("alert('Hello, World!');");
Improve this answer

Comments

4

An extention of Stefan's answer:

//Executes immediately
function stringToFunctionAndExecute(str) {
    let func = new Function(str);
    return (func()); // <--- note the parenteces
}

//Executes when called
function stringToFunctionOnly(str) {
    let func = new Function(str);
    return func;
}

// -^-^-^- Functions -^-^-^- (feel free to copy)
// -v-v-v- Explanations -v-v-v- (run code to read easier)

console.log('STEP 1, this executes directly when run:')
let func_A = stringToFunctionAndExecute("console.log('>>> executes immediately <<<')");

console.log("STEP 2, and you can't save it in a variable, calling a() will throw an error, watch:")
try {
  func_A();    
} catch (error) {
  console.log('STEP ERROR, see, it failed', error)    
}

console.log('STEP 3, but this will NOT execute directly AND you can save it for later...')
let func_B = stringToFunctionOnly("console.log('>>> executes when called <<<')");

console.log("STEP 4, ...as you see, it only run when it's called for, as is done now:")
func_B();

console.log('STEP 5, TADAAAAA!!')

Improve this answer

Comments

3

Not sure if this is cheating or not:

window.say = function(a) { alert(a); };

var a = "say('hello')";

var p = /^([^(]*)\('([^']*)'\).*$/;                 // ["say('hello')","say","hello"]

var fn = window[p.exec(a)[1]];                      // get function reference by name

if( typeof(fn) === "function") 
    fn.apply(null, [p.exec(a)[2]]);                 // call it with params
Improve this answer

Comments

2

eval should do it.

eval(s);
Improve this answer

Comments

2

One can use mathjs

Snippet from above link:

// evaluate expressions
math.evaluate('sqrt(3^2 + 4^2)')        // 5
math.evaluate('sqrt(-4)')               // 2i
math.evaluate('2 inch to cm')           // 5.08 cm
math.evaluate('cos(45 deg)')            // 0.7071067811865476

// provide a scope
let scope = {
    a: 3,
    b: 4
}
math.evaluate('a * b', scope)           // 12
math.evaluate('c = 2.3 + 4.5', scope)   // 6.8
scope.c

scope is any object. So if you pass the global scope to the evalute function, you may be able to execute alert() dynamically.

Also mathjs is much better option than eval() because it runs in a sandbox.

A user could try to inject malicious JavaScript code via the expression parser. The expression parser of mathjs offers a sandboxed environment to execute expressions which should make this impossible. It’s possible though that there are unknown security vulnerabilities, so it’s important to be careful, especially when allowing server side execution of arbitrary expressions.

Newer versions of mathjs does not use eval() or Function().

The parser actively prevents access to JavaScripts internal eval and new Function which are the main cause of security attacks. Mathjs versions 4 and newer does not use JavaScript’s eval under the hood. Version 3 and older did use eval for the compile step. This is not directly a security issue but results in a larger possible attack surface.

Improve this answer

1 Comment

"MAY be able to"?
1 
eval(s);

Remember though, that eval is very powerful and quite unsafe. You better be confident that the script you are executing is safe and unmutable by users.

Improve this answer

2 Comments

In JS everything can be changed by the user just type "javascript:document.write("Hello World");" into almost any browser's address bar.
Yes, but you can make it harder for him by not using global variables, hiding your functions in closures etc. Also, by avoiding eval like the plague =)
1

Using both eval and creating a new Function to execute javascript comes with a lot of security risks. 

const script = document.createElement("script");
const stringJquery = '$("#button").on("click", function() {console.log("hit")})';
script.text = stringJquery;
document.body.appendChild(script);

I prefer this method to execute the Javascript I receive as a string.

Improve this answer

1 Comment

How does this mitigate the security risks?
1

This method avoids use of potentially-risky eval, provides callable functions, uses strict mode on the expression evaluator for extra reliability, and less verbose than other answers.

execute a string command

function string_cmd(sCmd) {
    new Function(sCmd)();
}

evaluate a string expression

function string_exp(sCmd) {
    return Function(
        `'use strict'; 
        return (${sCmd})`
        )();
}

usage:

const result = string_exp("2+2");

string_cmd("alert(result)");

https://codepen.io/johnaweiss/pen/mdKpyZL

Improve this answer

1 Comment

Can i use strict on the executor?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.