Disallow the use of eval()
JavaScript’s eval()
function is potentially dangerous and is often misused. Using eval()
on untrusted code can open a program up to several different injection attacks. The use of eval()
in most contexts can be substituted for a better, alternative approach to a problem.
This rule is aimed at preventing potentially dangerous, unnecessary, and slow code by disallowing the use of the eval()
function. As such, it will warn whenever the eval()
function is used.
Examples of incorrect code for this rule:
Example of additional incorrect code for this rule when browser
environment is set to true
:
Example of additional incorrect code for this rule when node
environment is set to true
:
Examples of correct code for this rule:
This rule has an option to allow indirect calls to eval
. Indirect calls to eval
are less dangerous than direct calls to eval
because they cannot dynamically change the scope. Because of this, they also will not negatively impact performance to the degree of direct eval
.
Example of incorrect code for this rule with the {"allowIndirect": true}
option:
Examples of correct code for this rule with the {"allowIndirect": true}
option:
This rule is warning every eval()
even if the eval
is not global’s. This behavior is in order to detect calls of direct eval
. Such as:
This rule cannot catch renaming the global object. Such as:
This rule was introduced in ESLint v0.0.2.
© OpenJS Foundation and other contributors
Licensed under the MIT License.
https://eslint.org/docs/latest/rules/no-eval