Unsafe Eval

Eval Really is Dangerous

Discusses how many of the obvious ways to blacklist dangerous Python expressions fail to make eval safe.

Comments on a Case For Safe Eval

An example of the tricks people play to try and make eval safe, and how quickly they tend to fall down. Eevee's On Principle is a good discussion of how you should be suspicious of these efforts on principle, even if you can't articulate the flaw at first.


It's possible to write arbitrary javascript using just the characters `()[]!+`, which means that sanitizing javascript for eval is so limiting as to be useless, even aside from the theoretical reasons you shouldn't want to try.

Safe Eval

There are a number of languages where eval is much safer than Python or JavaScript, or at least can be made much safer by using the proper APIs. I'm much less familar with those, but they include Perl, Racket and E.

The E Language


S5: Engineering Eval

Dark corners of Javascript eval, and how a formal semantics for JavaScript implemented eval.