Is eval () dangerous in this Javascript code?

Question

I found a similar question about the danger of eval() in the case below, but the answer didn't solve the problem and answered If it was dangerous or not, It only suggested another method. That is why I am asking again hoping to get a new answer. Also It was posted in 2016

So I want to pass a condition as a parameter, I know that this can be a function, but I've read that eval () is 67% faster than new function () {return ...;}, that is why I am using eval ()

This is the code

var a = [0];


function LoopWithDelay (func, delay, param, condition){

 console.log(eval (condition));
 
  if (eval (condition)) {
  func (param);
  setTimeout (LoopWithDelay, delay, func, delay, param, condition);
 }
}


function increment (x){
 x[0] += 5;
}


LoopWithDelay (increment, 1000, a, "a[0]<10" );

When calling the LoopWithDelay() function I am passing the final parameter (condition) as a string so that It is evaluated inside the function eval (condition)

Is It wrong to use eval() in this case ?

[edited]
My main focus is to make this code reusable and eliminate redundancy. That is why I want to pass the condition as a parameter.

Example:
In a test application where the screen flashes at different speeds depending on how much time is left.
If t = 0s flash every 2000ms
If 10s<t<20s flash every 1000s
etc.

It just looks as u r doing loops in the air to achieve something much simpler. The danger here is unexpected behaviors and difficulty maintaining such code. Give an example to what condition can be. — Itay Moav -Malimovka, Jun 08 '20 at 00:05
If your string is fixed then it's safe to be used inside `eval`. But if your string is fixed, then you don't need to use eval! Provide a real example — Christian Vincenzo Traina, Jun 08 '20 at 00:06
@ItayMoav-Malimovka This is just a test, this function will be used later to manipulate the transform style of an element — EEAH, Jun 08 '20 at 00:07
In this exact case no, but will you always have 100% control over that `condition` input? Also, where did you read `eval` is 67% faster than `new Function` that number is just... magic. — Kaiido, Jun 08 '20 at 00:08
I'm sure that this won't be your real production code, otherwise you would just use `if(a[0]<10)`, without any hack. If your question is about security, you should consider the danger of user inputs and network responses — Christian Vincenzo Traina, Jun 08 '20 at 00:08
I'd say this is a dangerous game of early optimization. Sure, you could do this to speed up your application, but it's at the possible risk of security issues and less maintainable code. — WOUNDEDStevenJones, Jun 08 '20 at 00:08
Then you are better off creating a function that holds staticly references to the elements you want to tweak. The function goes noware after initial instantiation, and holding a ref for an element is quicker (I never tested this, seems logical) than doing an eval that looks for an elelemnt in the dom. — Itay Moav -Malimovka, Jun 08 '20 at 00:11
I will edit the post to clarify how I want to use It. Thank you — EEAH, Jun 08 '20 at 00:13
@Kaiido https://stackoverflow.com/a/86580/13695921 this post says that it is slower, the number 67% was in the third comment of the question in that page. Also this was posed in 2008. But what I was going for is getting the faster solution even If it is only 10% faster if there is no risk — EEAH, Jun 08 '20 at 00:16
Sorry but reading that answer all I see is that eval is slower than normal code execution, that it got a bit improved in later versions of browsers, but nothing about new Function, and nothing about eval being faster than anything else (because it isn't). — Kaiido, Jun 08 '20 at 00:21
Making choices based on "percentage faster" seems like a really poor use of your effort. Is 10% faster really worth using something like `eval()` if in reality that's 110 nano-seconds vs 100 nanoseconds? — Mark, Jun 08 '20 at 00:22
Also, the comments about the speed are comparing it to passing a string to `new Function()` in the [sense used here](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function), which is similar to eval. This is *much* different than passing an *actual* function reference like `() => a[0]<10`. — Mark, Jun 08 '20 at 00:26

score 1 · Accepted Answer · answered Jun 08 '20 at 01:21

It really looks like you are just trying to make a dynamic test that can react to something that changes in your code at runtime. You would typically do this by passing a function as a parameter, not a string with code to be later "eval()ed". This is the way you typically pass "behavior" or evaluate something that is only available at runtime. And it is very common in javascript. This has the same behavior, but doesn't need eval():

var a = [0];

function LoopWithDelay(func, delay, param, condition) {

  let condition_val = condition()
  console.log(condition_val);

  if (condition_val) {
    func(param);
    setTimeout(LoopWithDelay, delay, func, delay, param, condition);
  }
}


function increment(x) {
  x[0] += 5;
}

// capture `a` in the closure of the passed-in function
LoopWithDelay(increment, 1000, a, () => a[0] < 10);

Thank you. I edited the question and added how the code is used. Yes the condition may sometimes change at runtime, but the main focus was to eliminate redundancy if it was goin to be used multiple times. — EEAH, Jun 08 '20 at 01:28

Is eval () dangerous in this Javascript code?

1 Answers1