JS-0060 @ 3c35586 • smalos / nubuilder

Run summary

a year ago

8e4129c..3c35586

2 mins 6 s

eval() should not be used JS-0060

Security

Major

9 occurrences in this check

a03 owasp top 10

eval can be harmful.

core/nuform.js

 446            .replaceAll('(this)', `("#${obj.id}")`)
 447            .replaceAll('this.', `${obj.id}.`)
 448
 449          eval(modifiedJS) 450        }
 451      }
 452    }

eval can be harmful.

core/nuform.js

 941  if (obj.datalist !== null && obj.datalist !== '' && typeof obj.datalist !== 'undefined') {
 942    let dl = obj.datalist
 943    if (!$.isArray(dl)) dl = JSON.parse(dl)
 944    if (!$.isArray(dl)) dl = eval(dl) 945    nuAddDatalist($id.attr('id'), dl)
 946  }
 947}

eval can be harmful.

core/nuform.js

1654  }
1655
1656  if (s.substr(0, 1) + s.substr(-1) == '[]') {
1657    eval('a = ' + s)1658  }
1659
1660  $sel.append('<option value=""></option>')

eval can be harmful.

core/nuform.js

2673
2674  const nuCancel = false
2675
2676  eval(before)2677
2678  if (nuCancel) { return }
2679

eval can be harmful.

core/nuform.js

2731    })
2732  }
2733
2734  eval(after)2735}
2736
2737function nuLabelGetValidationClass (validationId) {

eval can be harmful.

core/nuform.js

4204
4205  nuCalculateForm()
4206
4207  eval(fm.lookup_javascript)4208
4209  $('#dialogClose').click()
4210

eval can be harmful.

core/nuform.js

4318    const sfid = $(e.target).parent().parent().parent()[0].id
4319    const click = $('#' + sfid).attr('data-nu-clickdelete')
4320
4321    eval(click)4322
4323    nuHasBeenEdited()
4324    nuCalculateForm()

eval can be harmful.

core/nucommon.js

1425  const obj = document.getElementById(i)
1426  if (obj === null) return
1427
1428  a = eval(a)1429
1430  if (a === undefined || a === '' || a.length === 0) { return }
1431

eval can be harmful.

core/nuajax.js

322    if (nuDisplayError(fm)) { return };
323
324    window.nuSERVERRESPONSE_HIDDEN = fm
325    eval(fm.callback + ';')326  }
327
328  nuAjax(last, successCallback)

Description

JavaScript's eval() function is potentially dangerous and is often misused. Using eval() on untrusted code can open a program up to several different injection attacks. The use of eval() in most contexts can be substituted for a better, alternative approach to the problem.

Bad Practice

const obj = { x: "foo" }
const key = "x"
const value = eval("obj." + key);

(0, eval)("var a = 0");

const foo = eval;
foo("var a = 0");

// This `this` is the global object.
this.eval("var a = 0");

smalos / nubuilder_dev

Bad Practice

Recommended

References