I read people claim that eval is unsafe when run on arbitrary user input code. I understand this in other languages that run on the server, that access the filesystem, etc. However, why does this matter when executing code in a browser? After all, can't you just fire up Firebug and write any arbitrary script you want anyway? So then how is eval any different?
1 Answer
The danger of eval only rears its ugly head when you are serving a script written by alice to user bob for bob's browser to eval.
e.g. if bob enters his password on your page, alice could have written a keylogger in the user input you evaled and arrange for the data to be encoded in a script that bob will (unknowingly) submit to be served to alice. This is, as @Hunter2 has suggested in the comments, an XSS attack.
If you are not serving to other people, you are correct in assuming it is equivalent to firing up firebug
eval()may be a XSS attack vector, if you're not carefulevalin server-side languages often don't apply, because JavaScript doesn't have io access.