10 It's considered a good practice to avoid using `eval()` in JavaScript. There are security and performance implications involved with doing so, which is why many linters (including ESLint) recommend disallowing `eval()`. However, there are some other ways to pass a string and have it interpreted as JavaScript code that have similar concerns.
12 The first is using `setTimeout()`, `setInterval()` or `execScript()` (Internet Explorer only), all of which can accept a string of JavaScript code as their first argument. For example:
15 setTimeout("alert('Hi!');", 100);
18 This is considered an implied `eval()` because a string of JavaScript code is
19 passed in to be interpreted. The same can be done with `setInterval()` and `execScript()`. Both interpret the JavaScript code in the global scope. For both `setTimeout()` and `setInterval()`, the first argument can also be a function, and that is considered safer and is more performant:
22 setTimeout(function() {
27 The best practice is to always use a function for the first argument of `setTimeout()` and `setInterval()` (and avoid `execScript()`).
31 This rule aims to eliminate implied `eval()` through the use of `setTimeout()`, `setInterval()` or `execScript()`. As such, it will warn when either function is used with a string as the first argument.
33 Examples of **incorrect** code for this rule:
38 /*eslint no-implied-eval: "error"*/
40 setTimeout("alert('Hi!');", 100);
42 setInterval("alert('Hi!');", 100);
44 execScript("alert('Hi!')");
46 window.setTimeout("count = 5", 10);
48 window.setInterval("foo = bar", 10);
53 Examples of **correct** code for this rule:
58 /*eslint no-implied-eval: "error"*/
60 setTimeout(function() {
64 setInterval(function() {
73 If you want to allow `setTimeout()` and `setInterval()` with string arguments, then you can safely disable this rule.