This project has moved. For the latest updates, please go here.

Use of Eval

Jul 19, 2016 at 3:28 PM
First, I love your work. Please keep at it.

While looking over the code for this solution, I noticed the use of the eval() function on line 99 of the ssw.js file.

https://speasyforms.codeplex.com/SourceControl/latest#SPEasyForms/Elements/SPEasyFormsAssets/JavaScript/ssw.js

Why eval is used instead of JSON.parse? The use of eval is hard to get past my security folks.

Kind regards,

Charles Babcock, MCT
Coordinator
Jul 20, 2016 at 9:02 PM
Edited Jul 20, 2016 at 9:04 PM
Hi Charles,

So ssw.js is a third party library, not my code, so I can't say why they used eval instead of JSON.parse. But I'm also using jquery-ui, which also uses eval once. I'm not sure I'm willing to go into all of the third party libraries and try to remove any use of eval. I understand that eval is hard to get by security people, but modifying third party libraries can be a testing nightmare when it comes to trying to keep current with the latest versions, and eval is not universally evil (despite what security folks and some code review checklists might suggest). I'd certainly be willing to get rid of SSW altogether if somebody can suggest an alternative (i.e. another library that abstracts HTML 5 storage and normalizes cross-browser support). Getting rid of jquery-ui, however, is more work than I'm willing to tackle ;)

Joe
Marked as answer by mcsheaj on 7/29/2016 at 3:25 PM