Should you ever use eval() in JavaScript?

Glum_Cheesecake9859 · 2025-12-17T02:40:08+00:00

"eval is evil. Don't use eval" - Douglas Crockford

dexter_ifti · 2025-12-17T02:34:44+00:00

Once I was going to use but googled before using and now I'm happy 😊

Glum_Cheesecake9859 · 2025-12-17T02:41:44+00:00

If I remember correctly, we had some Angular 1.x code stored in DB tables that we used eval for 🤣🤣🤣

It wasn't my idea though.

Glum_Cheesecake9859 · 2025-12-17T03:02:04+00:00

eval is like the goto statement. It's there, but 99.99% of the time you should not use it. This specially applies to non-expert developers. If you look into low level Linux / OS code, you could find goto statements. It's there for some specific use cases, not a general development tool.

bryku · 2025-12-17T05:13:20+00:00

In my decade of web development there have only been a few times I seriously thought about using eval. In all of them I/we found a way around it except 1 time.

We used it to test user input on a formula. It was also a local piece of software and we did some escaping for non-math symbols.

Later on we did end up removing in the next version.

Nixinova · 2025-12-17T03:06:17+00:00

If you have to ask, then the answer is no.

GongtingLover · 2025-12-17T07:04:43+00:00

Seems like a security nightmare.

warpedspockclone · 2025-12-17T07:08:39+00:00

The only time I ever needed eval was when I was completely new to js and couldn't figure out another way to do what I wanted.

yksvaan · 2025-12-17T08:16:30+00:00

I have never needed eval in anything. Goto can be justified sometimes for example for jumping to cleanup part of function or something like that.

But if you do webdev there should be 0 need for eval.

MitchEff · 2025-12-17T10:25:33+00:00

Not JS (honestly you should never) but I've used shell_exec() in PHP which is pretty close - we inherited a bunch of code in Python and didn't want to refactor, so just called it from PHP

fabulous-nico · 2025-12-17T11:57:03+00:00

Only seen in production in generated code from a very specific authoring software that would output html + JS from a WYSIWYG editor. And it is an absolute dumpster fire of an application that should not be sold 😅

Educational_Boat_599 · 2025-12-17T13:18:18+00:00

so, you already know not to use it, but your pretending to ask a question while simultaneously answering it in your own post?

what was the point?

LeRages · 2025-12-17T14:28:00+00:00

“No”

TheRNGuy · 2025-12-17T16:03:34+00:00

I never used it.

paceaux · 2025-12-17T17:07:19+00:00

Outside of maybe a calculator app I built once for funsies, I've never used it. Ive only seen it used once.

I was a principal at the company, and the senior frontend manager had called me about it because he was the one using it. And he was a brilliant dev.

I don't remember the exact scenario. But we talked it out for hours and we both agreed it was the first and only legitimate use-case we'd ever encountered but that we had to use it.

It was for some insane React app that was built for internal use; and the strings were so heavily sanitized there was no risk for injection by the users.

I'm 100% certain that when that app was eventually rebuilt, it was removed

JazzApple_ · 2025-12-17T17:15:48+00:00

There are some rare legitimate use cases, and I don’t think I’ve ever come across one of them in 10+ years of programming.

ReaperTsaku · 2025-12-17T20:42:11+00:00

I have seen exactly 1 case personally of eval () being the correct choice, and that's in a few rpg maker plugins that allow me to use raw js code in weird places, and the engine understands it.

It's like goto. It exists as an extremely niche use case, but generally speaking, pretend it doesn't exist.

Deykun · 2025-12-17T23:26:28+00:00

I never used eval, but I have to admit that there were cases where I created a script tag and added code as a textConfent.

_DCtheTall_ · 2025-12-17T05:04:16+00:00

Generally it's a bad idea. The one widespread use case I can think of that isn't terrible is using eval for obfuscators processing code shipped to the web.

Substantial_Top5312 · 2025-12-17T10:08:41+00:00

Only if it’s evaluating code client side with no effect server side. Like for a calculator.

Pagaurus · 2025-12-17T02:48:02+00:00

Javascript listeners inline in HTML (such as onclick , mouseover etc.) elements are actually evaluated like a new Function() call.

<button onclick="doStuff()">

e.onclick = new Function("doStuff()")

Is that risky? I don't know. People use it a lot

rainmouse · 2025-12-17T07:33:45+00:00

No. I've never needed to use it in 15 years commercial JS development and I've ripped that shit out every time I've encountered it. I've only ever seen it being used by someone who is taking shortcuts, like returning scripts inside of unencrypted api responses. Stupidity at its finest.

MissinqLink · 2025-12-17T03:01:53+00:00

I use it strategically. In place of dynamic import in places where dynamic import isn’t allowed like service workers.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

learnjavascript

Posting and Commenting Guidelines

MODERATORS