Disallow Implied eval() (no-implied-eval)

禁用隐式的eval() (no-implied-eval)

It’s considered a good practice to avoid using eval() in JavaScript. There are security and performance implications involved with doing so, which is why many linters (including ESLint) recommend disallowing eval(). However, there are some other ways to pass a string and have it interpreted as JavaScript code that have similar concerns.

在 JavaScript 中避免使用 eval() 被认为是一个很好的实践。这么做是考虑到安全性和性能的影响,这也是为什么很多检查工具(包括 ESLint )推荐禁用 eval()。然而,也有一些其它方式,通过传递一个字符串,并将它解析为 JavaScript 代码,也有类似的问题。

The first is using setTimeout(), setInterval() or execScript() (Internet Explorer only), all of which can accept a string of JavaScript code as their first argument. For example:

首当其冲的就是 setTimeout()setInterval() 或者 execScript() (仅限IE浏览器),它们都可以接受一个 JavaScript 字符串代码作为第一个参数。例如:

setTimeout("alert('Hi!');", 100);

This is considered an implied eval() because a string of JavaScript code is passed in to be interpreted. The same can be done with setInterval() and execScript(). Both interpret the JavaScript code in the global scope. For both setTimeout() and setInterval(), the first argument can also be a function, and that is considered safer and is more performant:

这被认为是一个隐式的 eval() 因为传入的 JavaScript 字符串可以被解析。setInterval()execScript() 也一样。两种方式都能在全局作用域解析 JavaScript 代码。对于 setTimeout()setInterval() 来说,第一个参数也可以是个函数,并且这种方式被认为更安全更高效。

setTimeout(function() {
    alert("Hi!");
}, 100);

The best practice is to always use a function for the first argument of setTimeout() and setInterval() (and avoid execScript()).

最佳实践是总是使用函数作为 setTimeout()setInterval() 的第一个参数。

Rule Details

This rule aims to eliminate implied eval() through the use of setTimeout(), setInterval() or execScript(). As such, it will warn when either function is used with a string as the first argument.

此规则目的在于消除使用 setTimeout()setInterval()execScript() 时隐式的 eval()。因此,当它们中的任何一个使用字符串作为第一个参数时,该规则将发出警告。

Examples of incorrect code for this rule:

错误 代码示例:

/*eslint no-implied-eval: "error"*/

setTimeout("alert('Hi!');", 100);

setInterval("alert('Hi!');", 100);

execScript("alert('Hi!')");

window.setTimeout("count = 5", 10);

window.setInterval("foo = bar", 10);

Examples of correct code for this rule:

正确 代码示例:

/*eslint no-implied-eval: "error"*/

setTimeout(function() {
    alert("Hi!");
}, 100);

setInterval(function() {
    alert("Hi!");
}, 100);

When Not To Use It

If you want to allow setTimeout() and setInterval() with string arguments, then you can safely disable this rule.

如果你想要允许 setTimeout()setInterval() 使用字符串参数,你可以关闭此规则。

Version

This rule was introduced in ESLint 0.0.7.

该规则在 ESLint 0.0.7 中被引入。

Resources