eslint/no-eval Correctness
What it does
Disallows referencing the eval function. This rule is aimed at preventing potentially dangerous, unnecessary, and slow code by disallowing the use of the eval() function.
Why is this bad?
JavaScript’s eval() function is potentially dangerous and is often misused. Using eval() on untrusted code can open a program up to several different injection attacks. The use of eval() in most contexts can be substituted for a better, safer alternative approach to solving the problem, such as using JSON.parse() or Function constructors in safer ways.
Examples
Examples of incorrect code for this rule:
const obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
(0, eval)("const a = 0");
const foo = eval;
foo("const a = 0");
this.eval("const a = 0");Examples of correct code for this rule:
const obj = { x: "foo" },
key = "x",
value = obj[key];
class A {
foo() {
this.eval("const a = 0");
}
eval() {}
static {
this.eval("const a = 0");
}
static eval() {}
}Options
allowIndirect
{ type: boolean, default: false }
This allowIndirect option allows indirect eval() calls.
Indirect calls to eval(e.g., window['eval']) are less dangerous than direct calls because they cannot dynamically change the scope. Indirect eval() calls also typically have less impact on performance compared to direct calls, as they do not invoke JavaScript's scope chain.
Example:
"eslint/no-eval": [
"error",
{ "allowIndirect": true }
]How to use
To enable this rule in the CLI or using the config file, you can use:
oxlint --deny no-eval{
"rules": {
"no-eval": "error"
}
}