我要创建一个网站，我做的Ajax请求后我打开一个静态容器页面加载一些动态内容。基本上，我需要一个整型数组从服务器传递到页面，我使用jQuery来加载数据。我写的整数与一个已知名称的标签中，并使用eval从中读取数据。下面是一个示例标记（从阿贾克斯返回）：

I'm creating a website where I'm doing ajax requests to load some dynamic content AFTER I load a static container page. Basically, I need to pass an array of integers to the page from the server, and I'm using jQuery to load data. I am writing the ints inside a tag with a know name, and using eval to read data from it. Here's a sample tag (returned from ajax):

＆LT;跨度=服务器级=隐藏ID =PhotoList/＆GT; 与codebehind list.ForEach（P =＆GT; {sb.Append（p.ID.ToString（）+）;}）; 其中SB是一个StringBuilder，所以服务器作为一个结果返回类似：

<span runat="server" class="hidden" id="PhotoList" /> with the codebehind list.ForEach(p => { sb.Append(p.ID.ToString() + ","); } ); where sb is a StringBuilder, so the server as a result returns something like:

＆LT;跨度=服务器级=隐藏ID =PhotoList＆GT; 1,4,5,42,9＆LT; / SPAN＆GT;

我有一个变量 photoList 在JavaScript中声明的，我叫 VAR scriptToEval =photoList =+ $（＃PhotoList ）。html的（）+];;

I have a variable photoList declared in the javascript, and I call var scriptToEval = "photoList = [" + $("#PhotoList").html() + "];";

的eval（scriptToEval）;

我不是Javascript的大师，我只是想确保，这是安全的，因为有很多的讨论，是否评估安全与否。我认为这是安全的（那些我所贴的所有code我使用的是与EVAL），但我可能已经错过了点，所以专业人士的意见对我很重要。我知道为什么他们说的eval是危险的，因为它能够为跨preting任何code，恶意与否，但在这里，我觉得这种方式不能在所有受到影响，从服务器的响应是完全我的控制之下。另一种办法是进行另一次Ajax调用的变量，并直接加载它们无需从返回数组阿贾克斯，但大公将总结两个电话，（我已经使负载呼叫无论如何，因为它确实加载从服务器一些HTML内容），但这样一来，即使有点哈克（把变量放入一个隐藏的HTML标记），好像方便（ASP.NET还做这行视图状态也毕竟！）。

I am not a master of Javascript and I just want to be sure that this is safe, as there's lots of discussion on whether eval is safe or not. I THINK this is safe (the ones I've pasted is all the code I'm using with eval), but I may have missed a point, so a professional's opinion is important for me. I know why they say eval is dangerous, as it is capable for interpreting any code, malicious or not, but here, I think this way cannot be compromised at all, as the response from the server is completely under my control. Another option would be making ANOTHER ajax call for the variables and load them directly without ajax from the returned array, but thay would sum to two calls, (I already make the load call anyway as it really loads some HTML content from the server) but this way, even though a bit hacky (putting variables into a hidden HTML tag), seems convenient (and ASP.NET also does this for viewstate too after all!).

我的重点是EVAL无论如何，这是绝对安全的，或者我应该有一些安全方面的考虑？ Javascript的专家吧。

My focus is on eval anyway, is this perfectly safe, or should I have some security considerations? Javascript experts please.

推荐答案

安全，是的，假设你的服务器是安全的。一般要真正避免使用唯一一次的eval（）是用户可以添加code的其他用户就可以看到。就像你从来没有想要使用的eval（）显示论坛上发帖等时，如果code是从你的服务器的到来，或者如果用户的输入只被显示给他/她自己，的eval（）是好的。实际上，这就是的jsfiddle 一样。

Safe, yes, assuming your server is secure. Generally the only time you want to truly avoid using eval() is when users are able to add code which other users can see. Like you'd never ever want to use eval() when displaying a forum post, etc. If the code is coming from your server, or if the user's input is only being displayed back to himself/herself, eval() is fine. This is essentially what jsfiddle does.