It's definitely evil, when it's used at runtime. In general (non-testing) usage, it would be written out to a file after compilation and there'd be no eval() action at runtime.
It's mainly just slow - the whole set of code has to be parsed, processed, validated, run, etc every time it's used.
It's not insecure in this usage (even if it were used on the client), as all the actual code is generated by uglify-js via an AST and it takes care of properly escaping everything.
The only thing I'm really taking from the django system is the syntax and some of the concepts. As far as I know, it's implemented completely differently. Very simple django/jinja2 templates will compile with Ginger, but the functionality is designed to be closer to Twig than anything.
7 comments
[ 4.9 ms ] story [ 24.0 ms ] threadIt's not insecure in this usage (even if it were used on the client), as all the actual code is generated by uglify-js via an AST and it takes care of properly escaping everything.