As B-Con mentioned, the attacker is not the one sitting at the computer, so he can use eval() already in your script as a means of transferring malicious code to your site in order to use the current user (for example, the user following the malicious link).
The danger of eval() is that it runs on unanalyzed values and can lead to an XSS-based DOM vulnerability.
eg. consider the following code in your HTML (rather contrived, but it demonstrates the problem I hope for)
<script> eval('alert("Your query string was ' + unescape(document.location.search) + '");'); </script>
Now, if the query string is ?foo , you just get a warning dialog box about the following: Your query string was ?foo
But what this code will allow the user to do is redirect users from their site to a URL, for example http://www.example.com/page.htm?hello%22);alert(document.cookie+%22 , where www. example.com is your site.
This changes the code that is executed using eval() to
alert("Your query string was hello"); alert(document.cookie+"");
(New lines added by me for clarity). Now this can do something more malicious than displaying the current cookie value, since the required code is simply transmitted along the request line with an attacker’s link in encoded form. For example, it can send a cookie to an attacker’s domain in a resource request, allowing it to capture an authentication session.
This applies to any value from user / external input that is unactivated and executed directly in eval() , and not just in the query string, as shown here.
Silverlightfox
source share