DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

eval() should not be used JS-0060

Security
Major
 a03 owasp top 10

JavaScript's eval() function is potentially dangerous and is often misused. Using eval() on untrusted code can open a program up to several different injection attacks. The use of eval() in most contexts can be substituted for a better, alternative approach to the problem.

Bad Practice

const obj = { x: "foo" }
const key = "x"
const value = eval("obj." + key);

(0, eval)("var a = 0");

const foo = eval;
foo("var a = 0");

// This `this` is the global object.
this.eval("var a = 0");

Recommended

const obj = { x: "foo" },
    key = "x",
    value = obj[key];

class A {
    foo() {
        // This is a user-defined method.
        this.eval("var a = 0");
    }

    eval() { /* ... * / }
}

References