Eval vs web console

Question

I always hear and read "Eval is evil" if you evaluate user-generated code.

But where is the different from typing code into the web console? And what are the alternatives?

I know the web is full of questions like mine. But I wasn't able to understand what I read, I'm sorry. It would be great if you could help me. I remember I read something about scopes, so have eval() and the web console different scopes? If yes, why does that make the web console safer?

Thanks for your advice!
Darth Moon

Edit: Why is passing code through the web console / through eval dangerous at all? I though js will be executed client-side?

Answer 1

Neither are safe to execute code in; both can lead to XSS attacks.
The web console is just as vulnerable in this regard as eval'd code.

However, they do indeed have different scopes.

eval() works in either the global scope or local scope depending on how it's invoked:

If you use the eval function indirectly, by invoking it via a reference other than eval, as of ECMAScript 5 it works in the global scope rather than the local scope. This means, for instance, that function declarations create global functions, and that the code being evaluated doesn't have access to local variables within the scope where it's being called.

And the web console executes code in the page window scope.

What's interesting to note is that the Browser Console has a different scope to the Web Console, running under the browser's chrome window:

Similarly, you can execute JavaScript expressions using the Browser Console. But while the Web Console executes code in the page window scope, the Browser Console executes them in the scope of the browser's chrome window.