The eval() PHP function must be enabled because Toolset uses TWIG framework for its structure and templates. Additionally, some deprecated functions in Toolset also use eval(), so it is needed for backward compatibility reasons.
We are sanitizing all input before evaluation. This means we are evaluating only strings, numbers and comparison signs. The eval() function is used by Toolset plugins. It is used within our own code as well as in some from third-party libraries that we use. There are three places where you will find eval () function being used within Toolset files:
- Twig templates – all files located under toolset-common/lib/Twig/ folder come from the Twig templating engine.
- Visual editor – files located in under toolset-common/visual-editor/ are using the javascript version of eval. We are currently working on a process of removing eval from it.
- The legacy Views wpv-if shortcode – eval () is used to evaluate the truthness of the expression in its condition. This expression is heavily sanitized before it is evaluated. It is used within the Views plugin. Main files where it is used are embedded/inc/wpv-condition.php and inc/toolset.function.helpers.php file in Toolset Common.