Javascript eval limits

Question

Is there a limit to javascript's eval, like in lenght?

I'm trying to build an app where you can store JS code in the DB, which you can later load and eval in order to execute it, but i'm reaching a limit. First of all, the code has to all be in one line. Any multiline statements are not executed. Next, i'm reaching a limit in length (i guess). If i execute the code manually, it works, but put that same code in the db, load it via ajax, and try to execute it, and it fails.

Any ideas why?

Answer 1

You don't need to use eval and its not exactly a good thing to use. You could just have it print out to the page and it will run.

Here is the accepted answer on why you should not use eval:

1. Improper use of eval opens up your code for injection attacks
2. Debugging can be more challenging (no line numbers, etc.)
3. eval'd code executes more slowly (no opportunity to compile/cache eval'd code)

Answer 2

I have run into this also. As others have said here - eval comes in handy when you are generating the Javascript on the fly and then want to have it execute on the browser. My usages of this technique are to go small things like a simple function that will just make a call back to the server when a button is pressed. Depending upon the circumstances there might be two functions or just one. I've also used it to display information that changes from a database. The information is always just plain text. So no injection attack can be done.

Anyway, I too have run in to this limitation of the Javascript EVAL statement and it seems to me that there is a 1024 character limit. When I go over this I start getting weird things like eval just spitting out the original text. This is really evident because I hex everything before sending it to the browser so I can have things like single and double quotes in the text without it causing eval any problems. (And hexing everything helps prevent injection attacks.)

I also side with the person who said to use getscript in jQuery. It works just as well as the eval without the size limitations. The only extra step you have to take is to create the Javascript file first.

I hope this helps and answers the original poster's question. That being I believe the size limitation is 1024 bytes.

Answer 3

You could create a javascript function that creates a script-tag dynamically ( createElement('script') and append it to the head- or bodytag) and point the source to your app. The src can contain parameters, used like a get request, like for example: src="jsapp.aspx?script=myscript&includefunction=loadfn" No eval needed. You can even define an onload handler for your new script tag. Plenty of documentation on the net for that.

You wouldn't even have to use XHR (AKA Ajax) for that.