diff --git a/common/content/commands.js b/common/content/commands.js
index ecb8751d..014fa7fd 100644
--- a/common/content/commands.js
+++ b/common/content/commands.js
@@ -917,7 +917,7 @@ const Commands = Module("commands", {
             if ((res = re2.exec(str)))
                 arg += keepQuotes ? res[0] : res[2].replace(/\\(.)/g, "$1");
             else if ((res = /^(")((?:[^\\"]|\\.)*)("?)/.exec(str)))
-                arg += keepQuotes ? res[0] : window.eval(res[0] + (res[3] ? "" : '"'));
+                arg += keepQuotes ? res[0] : JSON.parse(res[0] + (res[3] ? "" : '"'));
             else if ((res = /^(')((?:[^']|'')*)('?)/.exec(str)))
                 arg += keepQuotes ? res[0] : res[2].replace("''", "'", "g");
             else
diff --git a/common/content/javascript.js b/common/content/javascript.js
index 8c6c492f..c5c6cd19 100644
--- a/common/content/javascript.js
+++ b/common/content/javascript.js
@@ -478,9 +478,7 @@ const JavaScript = Module("javascript", {
             // The top of the stack is the sting we're completing.
             // Wrap it in its delimiters and eval it to process escape sequences.
             let string = this._str.substring(this._get(-1).offset + 1, this._lastIdx);
-            // This is definitely a properly quoted string.
-            // Just eval it normally.
-            string = window.eval(this._last + string + this._last);
+            string = JSON.parse(this._last + string + this._last);
 
             // Is this an object accessor?
             if (this._get(-2).char == "[") { // Are we inside of []?