Question: The security risk of eval()

Dear freeCodeCamp,

I recently came across a use case of accessing a variable by its name as a string. I learned that eval(“variableName”) can do the deed. However, I also learned that there are huge security risks in using eval(). See Never use eval()!

My question is, suppose I use React, and I store a string in a data-attribute of an HTML element, then I call eval() over this string via clicking a button, is it possible for others to modify the data-attribute in the browser console and why not so that they can execute whatever code they want?

To follow up, if eval() is insecure, what is the better alternative?

Thank you!

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.