What are the ways to apply eval in Javascript


There is more than one way to make a eval() in javascript, problem is that it can be a danger to the user if misused.

Internally some other methods also make eval, for example setTimeout() that if put in the argument of callback a string it will apply an eval.

What are the ways to apply eval in Javascript?


Complementary to the subject, I found this question that addresses the implications   of using eval .

asked by anonymous 08.02.2014 / 16:52

3 answers


I'll show eight different types that transform strings into code that can be executed immediately. In this case, I'm using pure javascript only, but libraries like jQuery have methods that can implicitly be exploited as eval.

eval ()

Own eval

eval("alert('lorem ipsum')");

setTimeout ()

setTimeout is the best-known example of using eval case you pass a string.

// Ambos são equivalentes
setTimeout("alert('lorem ipsum')", 100);
setTimeout(function(){ eval("alert('lorem ipsum')"); }, 100);

setInterval ()

setInterval is similar to setTimeout, but runs every time and not just at the end of the chosen time.

// Ambos são equivalentes
setInterval("alert('lorem ipsum')", 100);
setInterval(function(){ eval("alert('lorem ipsum')"); }, 100);

new Function ()

Function can implicitly be considered a form of eval because it accepts strings

var adder = new Function("a", "b", "return a + b");

document.write ()

document.write , if used to write <script> tags, also works as eval

document.write('<script>alert("lorem ipsum")</script>')

document.writeln ()

document.writeln is very similar to document.write, however adds a new line to the end.

document.writeln('<script>alert("lorem ipsum")</script>')

Data URI

Data URIs are the most atypical example, but are eventually used to exploit browser failures. / p>

var s = document.createElement('script');
s.src = 'data:text/javascript,' + encodeURIComponent('alert("lorem ipsum")')

Reference: self-knowledge, MDN links and link


Similar to approaching date URIs, but inserting the code directly rather than using the src attribute:

var s = document.createElement('script');
s.appendChild(document.createTextNode('alert("lorem ipsum");'));


Also similar to the date URIs, however inserting the code into the% of page%:

location.replace('javascript:alert("lorem ipsum");void(0)');
06.03.2014 / 01:39

In fact, setTimeout and setInterval can use a method similar to eval() if they do not receive a function (anonymous or referenced) as the first parameter.

The desired, good practice would be:

// declarar a função antes
function foo(){

// usar uma função anónima

If you pass a string to these methods, for example:

setTimeout('alert(foobar)' ,1000);

this might have implications serious security issues, but also scope issues . This string will be evaluated in the general scope, and if in this case the variable foobar is in the same scope as the seTimeout but not in the general scope, it will not be found.


Another way is to insert new script on the page as a string. So using:

var s = document.createElement('script');
s.type = 'text/javascript';
s.text = 'alert("Olá mundo!");';
08.02.2014 / 17:29

Two other ways ways of exuecting Javascript code from a string are the Function constructor

var f = new Function('alert("oi")');

and create a <script> tag, as suggested here :

var scrEl = document.createElement('script');
scrEl.innerHTML = "window.alert(1);"
08.02.2014 / 17:14