Server Side: JavaScript - Avoid use of Eval function
Impact area
Security
Severity
High
Affected element
Access Control
Script Include
Table Transformation Map
Transform Script and Ui Action
Rule number
SN-0107-SERVER-SIDE
Impact
The eval() function evaluates or executes an argument. Improper use of eval() opens up your code for injection attacks and debugging can be more challenging, as no line numbers are displayed with an error.
Remediation
Avoid the use of eval. It encourages the use of untrusted code. If you must execute arbitrary code, use GlideScriptEvaluator which ensures it came from a record.
Time to fix
30 min
Code examples
Noncompliant code
let value = eval('obj.' + propName);
Compliant code
let value = eval(gs.getProperty('variableWhichHoldsSafeCode'));