About this extension

When you enable Eval Villain (select icon, then toggle slider), "dangerous" functions will be hooked at page load. Open the console (ctrl+shift+k) and reload the page. Every time one of the hooked functions is used, it will be printed to the console along with its arguments and stack trace.

The popup menu and Configure page (select icon, then "Configure") can be used to format EV output. For example, you can add a "needle" and EV will highlight all calls that contain that string or regular expression.

Pentesters/Developers:
EV was created primarily to find DOM XSS. To learn more about DOM XSS and how EV helps to find it, check out this video.

Malware:
EV typically discovers and exposes second stage JS automatically.

CSP:
Want to make a stronger CSP but removing `unsafe-eval` breaks the site? Use EV to get information on where `eval` is being called and why.

Rate your experience

Report this add-on for abuse

If you think this add-on violates Mozilla's add-on policies or has security or privacy issues, please report these issues to Mozilla using this form.

Please don't use this form to report bugs or request add-on features; this report will be sent to Mozilla and not to the add-on developer.

Release notes for 2.8

Fix output of regex needles without global flag

Used by

Report this add-on for abuse