8 - https://ericlippert.com/2003/11/01/eval-is-evil-part-one/
9 - https://javascriptweblog.wordpress.com/2010/04/19/how-evil-is-eval/
13 JavaScript's `eval()` function is potentially dangerous and is often misused. Using `eval()` on untrusted code can open a program up to several different injection attacks. The use of `eval()` in most contexts can be substituted for a better, alternative approach to a problem.
16 var obj = { x: "foo" },
18 value = eval("obj." + key);
23 This rule is aimed at preventing potentially dangerous, unnecessary, and slow code by disallowing the use of the `eval()` function. As such, it will warn whenever the `eval()` function is used.
25 Examples of **incorrect** code for this rule:
30 /*eslint no-eval: "error"*/
32 var obj = { x: "foo" },
34 value = eval("obj." + key);
36 (0, eval)("var a = 0");
41 // This `this` is the global object.
42 this.eval("var a = 0");
47 Example of additional **incorrect** code for this rule when `browser` environment is set to `true`:
52 /*eslint no-eval: "error"*/
53 /*eslint-env browser*/
55 window.eval("var a = 0");
60 Example of additional **incorrect** code for this rule when `node` environment is set to `true`:
65 /*eslint no-eval: "error"*/
68 global.eval("var a = 0");
73 Examples of **correct** code for this rule:
78 /*eslint no-eval: "error"*/
81 var obj = { x: "foo" },
87 // This is a user-defined method.
88 this.eval("var a = 0");
95 // This is a user-defined static method.
96 this.eval("var a = 0");
108 This rule has an option to allow indirect calls to `eval`.
109 Indirect calls to `eval` are less dangerous than direct calls to `eval` because they cannot dynamically change the scope. Because of this, they also will not negatively impact performance to the degree of direct `eval`.
113 "no-eval": ["error", {"allowIndirect": true}] // default is false
117 Example of **incorrect** code for this rule with the `{"allowIndirect": true}` option:
122 /*eslint no-eval: "error"*/
124 var obj = { x: "foo" },
126 value = eval("obj." + key);
131 Examples of **correct** code for this rule with the `{"allowIndirect": true}` option:
136 /*eslint no-eval: "error"*/
138 (0, eval)("var a = 0");
143 this.eval("var a = 0");
151 /*eslint no-eval: "error"*/
152 /*eslint-env browser*/
154 window.eval("var a = 0");
162 /*eslint no-eval: "error"*/
165 global.eval("var a = 0");
172 * This rule is warning every `eval()` even if the `eval` is not global's.
173 This behavior is in order to detect calls of direct `eval`. Such as:
176 module.exports = function(eval) {
177 // If the value of this `eval` is built-in `eval` function, this is a
178 // call of direct `eval`.
183 * This rule cannot catch renaming the global object. Such as:
187 foo.eval("var a = 0");