【eval】
1、只处理字符串
If the argument of eval()
is not a string, eval()
returns the argument unchanged. In the following example, the String
constructor is specified, and eval()
returns a String
object rather than evaluating the string.
You can work around this limitation in a generic fashion by using toString()
.
2、间接使用eval,只能使用global scope
If you use the eval
function indirectly, by invoking it via a reference other than eval
, as of ECMAScript 5 it works at global scope rather than local scope; this means, for instance, that function declarations create global functions, and that the code being evaluated doesn't have access to local variables within the scope where it's being called.
3、access descendant properties
Avoiding eval()
here could be done by splitting the property path and looping through the different properties:
4、延迟执行代码
5、Don't use eval
needlessly!
eval()
is a dangerous function, which executes the code it's passed with the privileges of the caller. If you run eval()
with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage / extension. More importantly, third party code can see the scope in whicheval()
was invoked, which can lead to possible attacks in ways to which the similarFunction
is not susceptible.
eval()
is also generally slower than the alternatives, since it has to invoke the JS interpreter, while many other constructs are optimized by modern JS engines.
There are safer (and faster!) alternatives to eval()
for common use-cases.
参考:https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval