When the eval() function is called, it expects a string to be passed to it as its single argument value. The contents of that string should be syntactically correct executable script source text.

The script code gets executed and any result it generates is returned. That value must be explicitly returned, otherwise the result will be undefined.

Warnings:

• If the script source passed to the eval() function cannot be parsed without failure, a run-time error will result.

• Be careful how you let people pass values from outside into this function. It is feasible to provide a way for a user to type in some valid JavaScript and to then execute it for them in an eval() function. This can be dangerous, not only because it exposes all the variables in the script but also it may be possible to construct a JavaScript that when executed, talks back to the server that provided the page in the first place.

• It would be an unusual thing to do anyway, but the possibility may be there to compromise your server security. It rather depends on the security in the hosting environment. Possibly an eval() action is not permitted to do things that a non-user-modifiable script embedded in a web page can do. However, this is likely to be very implementation specific.

Example code:

   // Create some script source

   var scriptCode = "c = a * b";

   var a = 5;

   var b = 10;

   var c = 2;

   document.write(c);

   document.write("<BR>");

   eval(scriptCode);

   document.write(c);

Property attributes:

DontEnum.

Cross-references:

ECMA 262 edition 2 - section - 10.1.2

ECMA 262 edition 2 - section - 15.1.2.1

ECMA 262 edition 3 - section - 10.1.2

ECMA 262 edition 3 - section - 15.1.2.1

Wrox Instant JavaScript - page - 28