eslint/no-eval Correctness ​
What it does ​
Disallows referencing the eval function. This rule is aimed at preventing potentially dangerous, unnecessary, and slow code by disallowing the use of the eval() function.
Why is this bad? ​
JavaScript’s eval() function is potentially dangerous and is often misused. Using eval() on untrusted code can open a program up to several different injection attacks. The use of eval() in most contexts can be substituted for a better, safer alternative approach to solving the problem, such as using JSON.parse() or Function constructors in safer ways.
Examples ​
Examples of incorrect code for this rule:
js
const obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
(0, eval)("const a = 0");
const foo = eval;
foo("const a = 0");
this.eval("const a = 0");Examples of correct code for this rule:
js
const obj = { x: "foo" },
key = "x",
value = obj[key];
class A {
foo() {
this.eval("const a = 0");
}
eval() {}
static {
this.eval("const a = 0");
}
static eval() {}
}Options ​
allowIndirect ​
{ type: boolean, default: true }
This allowIndirect option allows indirect eval() calls.
Indirect calls to eval(e.g., window['eval']) are less dangerous than direct calls because they cannot dynamically change the scope. Indirect eval() calls also typically have less impact on performance compared to direct calls, as they do not invoke JavaScript's scope chain.
Example:
json
"eslint/no-eval": [
"error",
{ "allowIndirect": true }
]How to use ​
To enable this rule in the CLI or using the config file, you can use:
bash
oxlint --deny no-evaljson
{
"rules": {
"no-eval": "error"
}
}