"slow" is a relative term. It's "slower", yes since its not something that can generally be statically evaluated and compiled/JITed by the browser.
"less readable than the same code written with subscript notation". That really depends on how you are using both. "evaled code is insecure". Maybe. If you are straight evaling something outside your control, such as something loaded from I/O without sanitizing it first. Eval does have its uses from time to time, especially when dealing with cases where the JS language itself is far too clunky to solve the problem. For example: https://groups.google.com/group/comp.lang.javascript/browse_thread/thread/c62aaf2edc9df81e# And parsing JSON pre-ES5. On Mar 13, 9:53 am, Jarek Foksa <[email protected]> wrote: > Almost any modern JavaScript book recommends using subscript notation > (e.g. object[key]) instead of eval() because of the following three > reasons: > - evaled code execution is slow > - evaled code is less readable than the same code written with > subscript notation > - evaled code is insecure > > While the first two arguments make perfect sense to me, I don't > understand the last one. > > AFAIK any code returned by client-side scripts should be treated as a > potential security risk. Thus it should be sanitized on the server > side before any further processing. > > So, security-wise, why would it matter whether eval() or any other > obscure code is used on the client side? -- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/[email protected]/ To search via a non-Google archive, visit here: http://www.mail-archive.com/[email protected]/ To unsubscribe from this group, send email to [email protected]
