After reading pages of documentation and learning everything I can about XSS, it seems to me that the only way to introduce a XSS vulnerability solely with front-end javascript is to use that code to perform "server-like" decisions. What I'm referring to is what is called DOM-Based XSS, whereby your front-end js code takes parameters from either the URL query string, or some other unattached resource and attempts to do something with that input without properly sanitizing and/or escaping it beforehand.
This really has nothing to do with eval()
though, and has everything to do with how you design your "site experience" with regard to responses/requests. The way you avoid XSS is by making sure that your code never loads/sends anything it can't trust. eval()
is just a function.