The eval function is a powerful and easy way to dynamically generate code, so what are the caveats?
Improper use of eval opens up your
code for injection attacks
Debugging can be more challenging
(no line numbers, etc.)
eval’d code executes slower (no opportunity to compile/cache eval’d code)
Edit: As @Jeff Walden points out in comments, #3 is less true today than it was in 2008. However, while some caching of compiled scripts may happen this will only be limited to scripts that are eval’d repeated with no modification. A more likely scenario is that you are eval’ing scripts that have undergone slight modification each time and as such could not be cached. Let’s just say that SOME eval’d code executes more slowly.
eval isn’t always evil. There are times where it’s perfectly appropriate.
To give an all-too-typical example, to set the colour of an element with an id stored in the variable ‘potato’:
eval('document.' + potato + '.style.color = "red"');
…which is much easier to read as well as less potentially buggy.
(But then, someone who /really/ knew what they were doing would say:
which is more reliable than the dodgy old trick of accessing DOM elements straight out of the document object.)