I think it's completely safe, I don't think that eval
is evil. Just use it with judice,
and double check your sanitize function.
Since you're not allowing unicode letters neither _
or $
to pass sanitization, and javascript identifier must contains letter, it won't be possible to pollute the global scope, not to call functions.
from MDN page on identifiers :
Starting with JavaScript 1.5, you can use ISO 8859-1 or Unicode letters such as å and ü in identifiers. You can also use the \uXXXX Unicode escape sequences as characters in identifiers.
Remember to catch for exception thrown by eval
calls, because it's always possible to enter wrong expression, e.g. 4><5
.
Also, be sure that you check for characters you allow, not for these that you deny, so that characters you didn't think about are denied by default.