The popular Toolbox plugin allows you to easily and quickly insert JS snippets into your app. Some of you may know that it uses the Eval function to do so, which poses a potential security risk. My question is, if you don’t use user-provided dynamic data in the snippet, is it still a risk?
You answered your question with a question!
2 Likes
But is it zero risk or just vastly reduced risk? And from an optimization standpoint it still seems like a bad practice.
Where is the risk? In your code?
Who else/where else would the code be able to be modified? Could you, or one of your developers, inject bad code? Absolutely.