What is the Content Security Policy implication of using eval()?

A Content Security Policy with script-src 'self' (or any policy without 'unsafe-eval') blocks all eval() calls, causing JavaScript errors. If you are implementing CSP on your Shopify theme — which is a security best practice — eval() in your theme will break your own functionality. Removing eval() is a prerequisite for effective CSP implementation.

Is JSON.parse() completely safe for all inputs?

JSON.parse() is safe against code injection — it only parses valid JSON structures and does not execute JavaScript. It will throw a SyntaxError for non-JSON input, which you should catch. The output is always a plain JavaScript data structure (object, array, string, number, boolean, null) — never executable code. Always wrap JSON.parse() in try/catch when parsing data from potentially unreliable sources.

Does Shopify's CSP prevent eval() by default?

As of 2025, Shopify does not enforce a Content Security Policy on all storefronts by default. However, browser vendors are increasingly restrictive about eval() in secure contexts, and Shopify has indicated CSP support is being expanded. Building themes without eval() now ensures compatibility with future CSP enforcement and is a security best practice regardless.

securityMarch 22, 2026

eval() in a Shopify Theme Is a Critical XSS Vulnerability — Here's What to Use Instead

eval() executes any JavaScript string as code. If an attacker can influence the string passed to eval() — through a product title, a metafield, a URL parameter, or any other user-controlled value — they can execute arbitrary JavaScript in every visitor's browser. This includes stealing session cookies, capturing payment form keystrokes, and silently modifying orders. eval() has no legitimate use case in a Shopify theme that cannot be replaced with a safer pattern. This guide covers every common use and its secure replacement.

Why eval() is uniquely dangerous in Shopify themes

Shopify themes process data from multiple sources that attackers can influence: product titles and descriptions (settable via bulk import and apps), metafield values (sometimes exposed via customer-facing apps), URL query parameters, and cart item properties. Any of these values reaching eval() represents immediate critical XSS. Additionally, eval() prevents JavaScript minification and tree-shaking, triggers Content Security Policy violations, and is disabled in strict mode. There is no defensive use of eval() in theme code.

eval() for JSON parsing — use JSON.parse() instead

The most common legitimate-looking use of eval() in older Shopify themes is parsing JSON from a script tag or AJAX response: eval('(' + jsonString + ')'). This was a pre-ES5 workaround. The correct replacement is JSON.parse(jsonString). JSON.parse() only accepts valid JSON (no executable JavaScript), throws a SyntaxError for invalid input, and is 10-100x faster than eval(). If the JSON string might be malformed, wrap it in try/catch: try { const data = JSON.parse(str); } catch(e) { console.error('Invalid JSON:', e); }.

eval() for dynamic function calls — use a dispatch table instead

Another eval() misuse in themes: dynamically calling a function by name received from HTML data attributes. Instead of eval(element.dataset.action + '()'), build a dispatch table: const actions = { openModal: () => modal.open(), closeModal: () => modal.close(), addToCart: () => cart.add() }; const action = actions[element.dataset.action]; if (typeof action === 'function') action();. This allows only the specific functions in the table to be called — not arbitrary code execution.

Finding eval() in your theme and related patterns

Search your theme JavaScript for: eval(, new Function(, setTimeout('string', and setInterval('string'. All four execute string arguments as code and are equally dangerous. new Function('code')() is functionally identical to eval(). setTimeout and setInterval with string first arguments (rather than function references) also invoke eval internally. All of these must be replaced. Theme Check and Syphio both flag eval() and new Function() as CRITICAL security issues.

The fix: before and after

// CODE_COMPARISON

// BAD_CODE — before

1// CRITICAL: eval() — executes any JavaScript string, including attacker-controlled data

2const productData = eval('(' + document.querySelector('[data-product]').dataset.product + ')');

4// Also dangerous: new Function() is equivalent to eval()

5const handler = new Function('event', document.querySelector('[data-action]').dataset.handler);

7// Also dangerous: setTimeout/setInterval with string argument

8setTimeout('openModal()', 1000);

// SYPHIO_FIXED — after

1// GOOD: JSON.parse() for safe JSON parsing

2try {

3 const productData = JSON.parse(document.querySelector('[data-product]').dataset.product);

4} catch(e) {

5 console.error('Invalid product data:', e);

8// GOOD: dispatch table for dynamic function calls

9const handlers = {

10 openModal: () => modal.open(),

11 closeModal: () => modal.close(),

12 addToCart: () => cart.add()

13};

15const actionName = element.dataset.action;

16if (actionName in handlers) {

17 handlers[actionName]();

18} else {

19 console.warn('Unknown action:', actionName);

20}

22// GOOD: setTimeout with function reference, not string

23setTimeout(() => openModal(), 1000);

Frequently asked questions

What is the Content Security Policy implication of using eval()?: A Content Security Policy with script-src 'self' (or any policy without 'unsafe-eval') blocks all eval() calls, causing JavaScript errors. If you are implementing CSP on your Shopify theme — which is a security best practice — eval() in your theme will break your own functionality. Removing eval() is a prerequisite for effective CSP implementation.
Is JSON.parse() completely safe for all inputs?: JSON.parse() is safe against code injection — it only parses valid JSON structures and does not execute JavaScript. It will throw a SyntaxError for non-JSON input, which you should catch. The output is always a plain JavaScript data structure (object, array, string, number, boolean, null) — never executable code. Always wrap JSON.parse() in try/catch when parsing data from potentially unreliable sources.
Does Shopify's CSP prevent eval() by default?: As of 2025, Shopify does not enforce a Content Security Policy on all storefronts by default. However, browser vendors are increasingly restrictive about eval() in secure contexts, and Shopify has indicated CSP support is being expanded. Building themes without eval() now ensures compatibility with future CSP enforcement and is a security best practice regardless.

// SCAN_YOUR_CODE

Does your theme have this bug?

Paste your code. Syphio automatically detects and fixes this error and hundreds of others — in seconds.

Audit my theme →

Shopify CSRF Token — Every POST Form Needs authenticity_token (Here's Why)→Shopify XSS via Liquid — Every Variable in a <script> Tag Needs the | json Filter→