no-eval - ESLint - Pluggable JavaScript Linter (original) (raw)
Disallow the use of eval()
Table of Contents
JavaScript’s eval() function is potentially dangerous and is often misused. Using eval() on untrusted code can open a program up to several different injection attacks. The use of eval() in most contexts can be substituted for a better, alternative approach to a problem.
const obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
Rule Details
This rule is aimed at preventing potentially dangerous, unnecessary, and slow code by disallowing the use of the eval() function. As such, it will warn whenever the eval() function is used.
Examples of incorrect code for this rule:
/*eslint no-eval: "error"*/
const obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
(0, eval)("const a = 0");
const foo = eval;
foo("const a = 0");
// This `this` is the global object.
this.eval("const a = 0");
Example of additional incorrect code for this rule with window global variable:
/*eslint no-eval: "error"*/
/*global window*/
window.eval("const a = 0");
Example of additional incorrect code for this rule with global global variable:
/*eslint no-eval: "error"*/
/*global global*/
global.eval("const a = 0");
Examples of correct code for this rule:
/*eslint no-eval: "error"*/
const obj = { x: "foo" },
key = "x",
value = obj[key];
class A {
foo() {
// This is a user-defined method.
this.eval("const a = 0");
}
eval() {
}
static {
// This is a user-defined static method.
this.eval("const a = 0");
}
static eval() {
}
}
Options
allowIndirect
This rule has an option to allow “indirect eval”. Indirect calls to eval are less dangerous than direct calls to eval because they cannot dynamically change the scope. Because of this, they also will not negatively impact performance to the degree of direct eval.
{
"no-eval": ["error", {"allowIndirect": true}] // default is false
}
Example of incorrect code for this rule with the {"allowIndirect": true} option:
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/
const obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
Examples of correct code for this rule with the {"allowIndirect": true} option:
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/
(0, eval)("const a = 0");
const foo = eval;
foo("const a = 0");
this.eval("const a = 0");
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/
/*global window*/
window.eval("const a = 0");
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/
/*global global*/
global.eval("const a = 0");
Known Limitations
- This rule is warning every
eval()even if theevalis not global’s. This behavior is in order to detect calls of directeval. Such as:
module.exports = function(eval) {
// If the value of this `eval` is built-in `eval` function, this is a
// call of direct `eval`.
eval("const a = 0");
}; - This rule cannot catch renaming the global object. Such as:
const foo = window;
foo.eval("const a = 0"); Version
This rule was introduced in ESLint v0.0.2.
Further Reading
How evil is eval?
javascriptweblog.wordpress.com