除非您100%确定正在评估的代码来自可信的来源(通常是您自己的应用程序)，否则这将使您的系统暴露于跨站点脚本攻击。

除非您100%确定正在评估的代码来自可信的来源(通常是您自己的应用程序)，否则这将使您的系统暴露于跨站点脚本攻击。

如果你想让用户输入一些逻辑函数并计算与或，那么JavaScript的eval函数是完美的。我可以接受两个字符串和eval(ate) string1 === string2等。

随着带有JavaScript编译器的下一代浏览器问世，这可能会成为一个更大的问题。通过Eval执行的代码在这些新浏览器上的表现可能不如JavaScript的其他部分。应该有人来做侧写。

除非让eval()成为动态内容(通过cgi或输入)，否则它就像页面中所有其他JavaScript一样安全可靠。

eval() is very powerful and can be used to execute a JS statement or evaluate an expression. But the question isn't about the uses of eval() but lets just say some how the string you running with eval() is affected by a malicious party. At the end you will be running malicious code. With power comes great responsibility. So use it wisely is you are using it. This isn't related much to eval() function but this article has pretty good information: http://blogs.popart.com/2009/07/javascript-injection-attacks/ If you are looking for the basics of eval() look here: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval