Almost any modern JavaScript book recommends using subscript notation (e.g. object[key]) instead of eval() because of the following three reasons: - evaled code execution is slow - evaled code is less readable than the same code written with subscript notation - evaled code is insecure
While the first two arguments make perfect sense to me, I don't understand the last one. AFAIK any code returned by client-side scripts should be treated as a potential security risk. Thus it should be sanitized on the server side before any further processing. So, security-wise, why would it matter whether eval() or any other obscure code is used on the client side? -- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/[email protected]/ To search via a non-Google archive, visit here: http://www.mail-archive.com/[email protected]/ To unsubscribe from this group, send email to [email protected]
