UNPKG

@typescript-eslint/eslint-plugin

Version:

TypeScript plugin for ESLint

typescript-eslint.io/packages/eslint-plugin

typescript-eslint/typescript-eslint

105 lines (71 loc) 2.81 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
--- description: 'Disallow the use of `eval()`-like methods.' --- import Tabs from '@theme/Tabs'; import TabItem from '@theme/TabItem'; > 🛑 This file is source code, not the primary documentation location! 🛑 > > See **https://typescript-eslint.io/rules/no-implied-eval** for documentation. It's considered a good practice to avoid using `eval()`. There are security and performance implications involved with doing so, which is why many linters recommend disallowing `eval()`. However, there are some other ways to pass a string and have it interpreted as JavaScript code that have similar concerns. The first is using `setTimeout()`, `setInterval()`, `setImmediate` or `execScript()` (Internet Explorer only), all of which can accept a string of code as their first argument ```ts setTimeout('alert(`Hi!`);', 100); ``` or using `new Function()` ```ts const fn = new Function('a', 'b', 'return a + b'); ``` This is considered an implied `eval()` because a string of code is passed in to be interpreted. The same can be done with `setInterval()`, `setImmediate()` and `execScript()`. All interpret the JavaScript code in the global scope. The best practice is to avoid using `new Function()` or `execScript()` and always use a function for the first argument of `setTimeout()`, `setInterval()` and `setImmediate()`. ## Examples This rule aims to eliminate implied `eval()` through the use of `new Function()`, `setTimeout()`, `setInterval()`, `setImmediate()` or `execScript()`. <Tabs> <TabItem value="❌ Incorrect"> ```ts setTimeout('alert(`Hi!`);', 100); setInterval('alert(`Hi!`);', 100); setImmediate('alert(`Hi!`)'); execScript('alert(`Hi!`)'); window.setTimeout('count = 5', 10); window.setInterval('foo = bar', 10); const fn = '() = {}'; setTimeout(fn, 100); const fn = () => { return 'x = 10'; }; setTimeout(fn(), 100); const fn = new Function('a', 'b', 'return a + b'); ``` </TabItem> <TabItem value="✅ Correct"> ```ts setTimeout(function () { alert('Hi!'); }, 100); setInterval(function () { alert('Hi!'); }, 100); setImmediate(function () { alert('Hi!'); }); execScript(function () { alert('Hi!'); }); const fn = () => {}; setTimeout(fn, 100); const foo = { fn: function () {}, }; setTimeout(foo.fn, 100); setTimeout(foo.fn.bind(this), 100); class Foo { static fn = () => {}; } setTimeout(Foo.fn, 100); ``` </TabItem> </Tabs> ## When Not To Use It If your project is a rare one that needs to allow `new Function()` or `setTimeout()`, `setInterval()`, `setImmediate()` and `execScript()` with string arguments, then you can disable this rule. You might consider using [ESLint disable comments](https://eslint.org/docs/latest/use/configure/rules#using-configuration-comments-1) for those specific situations instead of completely disabling this rule.