← Back to rules

eslint/no-implied-eval Suspicious

✅ This rule is turned on by default.

What it does

Disallows passing strings to setTimeout(), setInterval(), and execScript().

Why is this bad?

Passing a string to these APIs evaluates the string as JavaScript source text at runtime. This has many of the same security, readability, and performance problems as eval(). Pass a function instead.

Examples

Examples of incorrect code for this rule:

setTimeout("alert('Hi!')", 100);
setInterval("doWork()", 1000);
window.setTimeout("doWork()", 100);

Examples of correct code for this rule:

setTimeout(() => alert("Hi!"), 100);
setInterval(doWork, 1000);
window.setTimeout(doWork, 100);

How to use

To enable this rule using the config file or in the CLI, you can use:

Config (.oxlintrc.json)

{
  "rules": {
    "no-implied-eval": "error"
  }
}

Config (oxlint.config.ts)

import { defineConfig } from "oxlint";

export default defineConfig({
  rules: {
    "no-implied-eval": "error",
  },
});

CLI

oxlint --deny no-implied-eval

Version

This rule was added in vnext.

References

• Rule Source
• Open rule in Oxc Playground