Hacker News new | past | comments | ask | show | jobs | submit login

Sometimes I have the feeling they are a bit over the top. F.e.:

eval should never be used. Any code that makes use of it should be questioned in its workings, performance and security. If something requires eval in order to work, it should not be used in the first place. A better design should be used, that does not require the use of eval.

The conclusion doesn't offer any advise what should be done instead of eval.

Somehow they assume everybody uses eval because its convenient, and that there is a quick work around available. The functionality of eval however non-trivial.

F.e. - if you want to evaluate a lambda function given from the command line.

- if you want to execute javascript provided by a user in a browser window.




Command line and user in browser window can both be united into: executing the code provided by the user.

Eval can be closely compared to the execution of a binary file. Do you trust that user to upload executable and run it on the host? Then eval is fine, otherwise - you are asking for the trouble.


Out of interest what does F.e. mean? You seem to be using it in place of the usual e.g.


Same thing, english instead of latin.

It's simply an abbreviation that doesn't really respect the conventions as you are used to see them.


thanks for pointing it out. I wasn't aware that f.e. is not accepted as standard english abbreviation.


To be honest, I couldn't tell if it is accepted or not.

I think it is, but we simply don't see it that often. As far as I can tell, it is perfectly correct to abbreviate in the english language.

http://www.encyclopedia.com/doc/1O25-fe.html


No, f.e. is not an accepted or known abbreviation, it's not perfectly correct. You can try and start one, after all yolo, lol, rotfl. Or perhaps not ;)

When I asked, I was wondering if it was a known abbreviation from an academic field I didn't know. I wouldn't use it, e.g. is the correct abbreviation to use in this instance.


Interesting. Most references that I found say that f.e. is not correct. ;)


For example, probably.


> The conclusion doesn't offer any advise what should be done instead of eval.

In case anybody is actually wondering, you almost always want a Function constructor:

    var add = new Function('arg1', 'arg2', 'return arg1 + arg2;');
The only exception I've ever run into was in miniature string templating where eval or with was used as a hacky way to generate the context. The best way to do that is replace with a function argument:

    tmpl_str.replace(/{{(\w+)}}/g, function(_, key) { return ctx[key]; })


> In case anybody is actually wondering, you almost always want a Function constructor

I don't see how that's any different from eval.

What you almost always want is a better abstraction of your data and operations, that allows you to stop treating data as code.


new Function() parses the JavaScript code stored in a string into a function object, which can then be called. It cannot access local variables because the code runs in a separate scope.


Function constructor as well as setInterval() and setTimeout() with stringyfied functions are almost as insecure as eval().

Until now I don't think that I have ever encountered a case where any of these were the absolute only solution.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: