Assuming there is no browser-side security loophole that can be used to modify someone's computer, I don't understand how using eval could lead to any real threat.
Could someone explain how that could be possible. Someone could display something on a user's computer, but no real harm could be done without a redirection or accepted download. No server-side damage could be done, right?
When you hand-over control of JavaScript, it isn't just its execution that could prove harmful. With Ajax, you could possibly load a flash object, or a pdf, or a Java applet, into the current page itself. That would present no dialog and you would be invoking plugins (which have a lot more privileges than the browser itself).
So, in theory, it could cause as much damage as your plugins themselves allow, which is usually quite a lot.
JavaScript provides access to many ways to cause a browser to send data to a server. They could be leveraged to launch attacks against the server (including denial of service attacks).
Any data stored in a globally-accessible JavaScript variables (by your code, or third-party code) is available to code passed to eval.
Depending on what’s stored in there (e.g. user authentication tokens) and how the system is designed, a lot of server-side damage could be wrought from that.
Because eval can result in the execution of code it creates a vulnerability on your site unless you are 100% in control of that code (and this is very very rare, or you wouldnt be considering eval anyway).
This vulnerability does not necessarily affect your server negatively, but it can affect your user very seriously, and in some cases allow a hacker to steal your users cookies, get access to his session, and many other things.
One simple example is eval executing a malicious script that sends a post to your server with all necessary information for your server to delete or change a users data. Because the request is actually coming from your users session it is a perfectly valid request.
