Thoughts
Commenters on Hacker News defending W3Schools. Look at this
=> https://www.w3schools.com/jsref/jsref_eval.asp
I quote:
> No NOT use eval()
> Executing JavaScript from a string is an BIG security risk.
> With eval(), malicious code can run inside your application without permission.
> With eval(), third-party code can see the scope of your application, whitch can lead to possible attacks.
Okay; so, I try to avoid mocking English-second-language speakers on here, it's one of my off-limits topics. And I don't know the context of the person who wrote that. But read that excerpt again out loud. Yeah.
And this is published content acting as an authority on the subject. I expect better from this page than from a random person or internet comment.
The MDN's page is a little long-winded, I'll admit. There are some phrases in the middle of the MDN's description that could be misleading. But there's so much more useful information in there. Performance, comparisons to `JSON.parse` and `new Function`, the behavior when `eval` is given a non-string object. Etc.
Like, I don't know how to respond to people on HN that are just wrong.
> [W3Schools is] criticized by the vocal newbies who are chasing the newest and shiniest.
Really? Then why is there an open letter from 2011 saying that "their faulty information is a detriment to the web"?
=> https://web.archive.org/web/20110412103745/http://w3fools.com/
Which has since been rescinded because W3School has improved on the addressed issues.
=> https://w3fools.com
(They went from not mentioning that eval could be harmful to "No NOT use eval()".)
I don't get it.