noGlobalEval
Este conteúdo não está disponível em sua língua ainda.
Diagnostic Category: lint/security/noGlobalEval
Since: v1.5.0
Sources:
- Same as:
no-eval
Disallow the use of global eval()
.
The eval()
function evaluates the passed string as a JavaScript code.
The executed code can access and mutate variables in the scope where the function is called.
The use of eval()
exposes to security risks and performance issues.
If the executed code is somehow affected by a malicious party,
then you may end up executing malicious code with the privileges of the caller.
Moreover, changing variables in the caller’s scope is expensive in modern JavaScript interpreters.
Examples
Section titled ExamplesInvalid
Section titled Invalidcode-block.js:1:1 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ eval() exposes to security risks and performance issues.
> 1 │ eval(“var a = 0”);
│ ^^^^
2 │
ℹ See the MDN web docs for more details.
ℹ Refactor the code so that it doesn’t need to call eval().
code-block.js:1:5 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ eval() exposes to security risks and performance issues.
> 1 │ (0, globalThis.eval)(“var a = 0”)
│ ^^^^^^^^^^^^^^^
2 │
ℹ See the MDN web docs for more details.
ℹ Refactor the code so that it doesn’t need to call eval().
code-block.js:1:3 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ eval() exposes to security risks and performance issues.
> 1 │ f(eval);
│ ^^^^
2 │
ℹ See the MDN web docs for more details.
ℹ Refactor the code so that it doesn’t need to call eval().
code-block.js:1:21 lint/security/noGlobalEval ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ eval() exposes to security risks and performance issues.
> 1 │ const aliasedEval = eval;
│ ^^^^
2 │
ℹ See the MDN web docs for more details.
ℹ Refactor the code so that it doesn’t need to call eval().
Valid
Section titled ValidThe rule is not able to detect cases where the global object is aliased: