[r00fus]

I'd say it's pretty widely understood [1] to not use eval() like clauses in any language simply because it's a wide open hole for security exploits.

Is this seriously not well understood? If not, then we should promote more "eval considered harmful" type screeds.

[1] https://www.google.com/search?sourceid=chrome&ie=UTF-8&#...

[dspillett]

I've seen it used by beginners (espectially those who don't consider themselves beginners!) who are not particularly security concious yet. Books and tutorials cover it then say "but don't use it unles you really really have to becase ...": people remeber what it does but not the warnings that were attached.

I think it needs to not be covered at all for the most part in documentation that might be used by a beginner, in any language not just Javascipt, rather than telling people about it then telling them not to use it.

It gets used because it is sometimes easier than the alternatives. If people don't know about eval() until they have learned enough to be capable of understanding the alternatives and the security implications of eval() then like us they'll do their level best to never use it.