I am testing a code I found while reading a book. I get this error while testing it out in JS fiddle, document.write
can be a form of eval.
var text = '<html><body bgcolor=linen><p>' +
'This is <b>bold<\/b>!<\/p><\/body><\/html>';
var tags = /[^<>]+|<(\/?)([A-Za-z]+)([^<>]*)>/g;
var a, i;
while ((a = tags.exec(text))) {
for (i = 0; i < a.length; i += 1) {
document.writeln(('// [' + i + '] ' + a[i]).entityify());
}
document.writeln();
}
I am getting the above JSfiddle warning on both lines with document.writeln()
.
Note that this is a warning only - but a good one that should be respected. It is actually being generated by a checker called JSLint - and a good read for the reasoning of this warning is available at http://www.jameswiseman.com/blog/2011/03/31/jslint-messages-document-write-can-be-a-form-of-eval/.
Basically, the foundation of this is that "eval is evil" - and that document.write
can be used to perform evaluations.
Besides this - and not mentioned in the above, avoid document.write
whenever possible, except for maybe simple testing. It writes to the DOM after it is considered to be "complete", and modifications at this point should only be made using the supported DOM methods. Additional details concerning this are covered at Why is document.write considered a "bad practice"? - where it is mentioned that it is "Far better to use the safe and DOM friendly DOM manipulation methods" (document.createElement
, element.appendChild
, etc.). A good concrete example of this is available at https://developer.mozilla.org/en-US/docs/Web/API/Document_object_model/Using_the_W3C_DOM_Level_1_Core.