为什么使用 JavaScript eval 函数是个坏主意? [英] Why is using the JavaScript eval function a bad idea?

问题描述

eval 函数是一种强大且简单的动态生成代码的方法，那么有哪些注意事项?

The eval function is a powerful and easy way to dynamically generate code, so what are the caveats?

推荐答案

1. eval 的不当使用会打开你的注入攻击代码

1. Improper use of eval opens up your code for injection attacks

调试可能更具挑战性(没有行号等)

Debugging can be more challenging (no line numbers, etc.)

eval 代码执行速度较慢(没有机会编译/缓存 eval 代码)

eval'd code executes slower (no opportunity to compile/cache eval'd code)

正如@Jeff Walden 在评论中指出的那样，今天的 #3 不如 2008 年那么真实.但是，虽然可能会发生一些编译脚本的缓存，但这只会仅限于使用 eval 重复的脚本没有修改.更可能的情况是您正在评估每次都经过轻微修改的脚本，因此无法缓存.我们只是说一些 eval 的代码执行得更慢.

As @Jeff Walden points out in comments, #3 is less true today than it was in 2008. However, while some caching of compiled scripts may happen this will only be limited to scripts that are eval'd repeated with no modification. A more likely scenario is that you are eval'ing scripts that have undergone slight modification each time and as such could not be cached. Let's just say that SOME eval'd code executes more slowly.

这篇关于为什么使用 JavaScript eval 函数是个坏主意?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！