Sometimes I have the feeling they are a bit over the top.
F.e.:
eval should never be used. Any code that makes use of it should be questioned in its workings, performance and security. If something requires eval in order to work, it should not be used in the first place. A better design should be used, that does not require the use of eval.
The conclusion doesn't offer any advise what should be done instead of eval.
Somehow they assume everybody uses eval because its convenient, and that there is a quick work around available. The functionality of eval however non-trivial.
F.e.
- if you want to evaluate a lambda function given from the command line.
- if you want to execute javascript provided by a user in a browser window.
Command line and user in browser window can both be united into: executing the code provided by the user.
Eval can be closely compared to the execution of a binary file. Do you trust that user to upload executable and run it on the host? Then eval is fine, otherwise - you are asking for the trouble.
No, f.e. is not an accepted or known abbreviation, it's not perfectly correct. You can try and start one, after all yolo, lol, rotfl. Or perhaps not ;)
When I asked, I was wondering if it was a known abbreviation from an academic field I didn't know. I wouldn't use it, e.g. is the correct abbreviation to use in this instance.
> The conclusion doesn't offer any advise what should be done instead of eval.
In case anybody is actually wondering, you almost always want a Function constructor:
var add = new Function('arg1', 'arg2', 'return arg1 + arg2;');
The only exception I've ever run into was in miniature string templating where eval or with was used as a hacky way to generate the context. The best way to do that is replace with a function argument:
new Function() parses the JavaScript code stored in a string into a function object, which can then be called. It cannot access local variables because the code runs in a separate scope.
eval should never be used. Any code that makes use of it should be questioned in its workings, performance and security. If something requires eval in order to work, it should not be used in the first place. A better design should be used, that does not require the use of eval.
The conclusion doesn't offer any advise what should be done instead of eval.
Somehow they assume everybody uses eval because its convenient, and that there is a quick work around available. The functionality of eval however non-trivial.
F.e. - if you want to evaluate a lambda function given from the command line.
- if you want to execute javascript provided by a user in a browser window.