DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

eval()-like methods should not be used JS-0068

Security
Minor
 a03 owasp top 10

It's considered a good practice to avoid using eval() in JavaScript. There are security and performance implications involved with doing so. However, there are some other ways to pass a string and have it interpreted as JavaScript code that have similar concerns.

One of the ways is by using setTimeout(), setInterval() or execScript() (Internet Explorer only), all of which can accept a string of JavaScript code as their first argument. For example:

setTimeout("alert('Hi!');", 100);

This is considered an implied eval() because a string of JavaScript code is passed in to be interpreted. The same can be done with setInterval() and execScript(). Both interpret the JavaScript code in the global scope. For both setTimeout() and setInterval(), the first argument can also be a function, and that is considered safer and is more performant:

setTimeout(function() {
    alert("Hi!");
}, 100);

Therefore, the best practice is to always use a function for the first argument of setTimeout() and setInterval() (and avoid execScript()).

Bad Practice

setTimeout("alert('Hi!');", 100);
setInterval("alert('Hi!');", 100);
execScript("alert('Hi!')");
window.setTimeout("count = 5", 10);
window.setInterval("foo = bar", 10);

Recommended

setTimeout(function() {
    alert("Hi!");
}, 100);

setInterval(function() {
    alert("Hi!");
}, 100);

References