Use JSON.parse rather than eval to parse strings.

--HG--
extra : transplant_source : %7B%40A%81%9F3%F4N%A7%0A%C37%A5%3D%D0%B9d%80%14%FE

common/content/commands.js

@@ -917,7 +917,7 @@ const Commands = Module("commands", {
             if ((res = re2.exec(str)))
                 arg += keepQuotes ? res[0] : res[2].replace(/\\(.)/g, "$1");
             else if ((res = /^(")((?:[^\\"]|\\.)*)("?)/.exec(str)))
-                arg += keepQuotes ? res[0] : window.eval(res[0] + (res[3] ? "" : '"'));
+                arg += keepQuotes ? res[0] : JSON.parse(res[0] + (res[3] ? "" : '"'));
             else if ((res = /^(')((?:[^']|'')*)('?)/.exec(str)))
                 arg += keepQuotes ? res[0] : res[2].replace("''", "'", "g");
             else

common/content/javascript.js

@@ -478,9 +478,7 @@ const JavaScript = Module("javascript", {
             // The top of the stack is the sting we're completing.
             // Wrap it in its delimiters and eval it to process escape sequences.
             let string = this._str.substring(this._get(-1).offset + 1, this._lastIdx);
-            // This is definitely a properly quoted string.
+            string = JSON.parse(this._last + string + this._last);
-            // Just eval it normally.
-            string = window.eval(this._last + string + this._last);
 
             // Is this an object accessor?
             if (this._get(-2).char == "[") { // Are we inside of []?