Should I insert <script> or should I eval?

Question

Should I insert <script> or should I eval?

I have JavaScript code in a string that I received dynamically according to certain conditions (the result of certain user actions).

Now I am wondering if I should just eval it (will work, checked) or should I embed <script> in the DOM with the string value inside it. Part of the risk of XSS is clear to me (the script absolutely does not use anything that the user enters). I would like to know the problems associated with the area (if any) that arise due to the insertion of the <script> .

+4

javascript eval xss

techfoobar Mar 28 '13 at 19:21

source share

2 answers

There is no reason to avoid eval if the code you are evaluating comes from a reliable source. If this is data on your server and does not contain user-generated code, then evade. Eval is not always evil.

+3

Jeremy Mar 28 '13 at 19:24

source share

Trevor dixon · Accepted Answer · 2013-03-28T19:27:45+0000

There is no security benefit for creating a script element and pasting javascript on top of eval into it. Using eval means that it has access to any local variables, so defining the scope is only a problem if your eval d code needs access to local variables.

Should I insert <script> or should I eval?

More articles: