no-eval
禁止使用 eval()
JavaScript 的 eval() 函数有潜在的危险并且经常被误用。在不受信任的代码上使用 eval() 可以打开一个程序,使其遭受多种不同的注入攻击。在大多数情况下使用 eval() 可以替代解决问题的更好的替代方法。
¥JavaScript’s eval() function is potentially dangerous and is often misused. Using eval() on untrusted code can open a program up to several different injection attacks. The use of eval() in most contexts can be substituted for a better, alternative approach to a problem.
var obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
规则详情
¥Rule Details
此规则旨在通过禁止使用 eval() 函数来防止潜在危险、不必要和缓慢的代码。因此,每当使用 eval() 功能时,它都会触发警告。
¥This rule is aimed at preventing potentially dangerous, unnecessary, and slow code by disallowing the use of the eval() function. As such, it will warn whenever the eval() function is used.
此规则的错误代码示例:
¥Examples of incorrect code for this rule:
/*eslint no-eval: "error"*/
var obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
(0, eval)("var a = 0");
var foo = eval;
foo("var a = 0");
// This `this` is the global object.
this.eval("var a = 0");
使用 window 全局变量的此规则的其他错误代码示例:
¥Example of additional incorrect code for this rule with window global variable:
/*eslint no-eval: "error"*/
/*global window*/
window.eval("var a = 0");
使用 global 全局变量的此规则的其他错误代码示例:
¥Example of additional incorrect code for this rule with global global variable:
/*eslint no-eval: "error"*/
/*global global*/
global.eval("var a = 0");
此规则的正确代码示例:
¥Examples of correct code for this rule:
/*eslint no-eval: "error"*/
var obj = { x: "foo" },
key = "x",
value = obj[key];
class A {
foo() {
// This is a user-defined method.
this.eval("var a = 0");
}
eval() {
}
static {
// This is a user-defined static method.
this.eval("var a = 0");
}
static eval() {
}
}
选项
¥Options
allowIndirect
该规则有一个允许 “间接评估” 的选项。对 eval 的间接调用比对 eval 的直接调用更危险,因为它们不能动态更改范围。因此,它们也不会对直接 eval 的性能产生负面影响。
¥This rule has an option to allow “indirect eval”.
Indirect calls to eval are less dangerous than direct calls to eval because they cannot dynamically change the scope. Because of this, they also will not negatively impact performance to the degree of direct eval.
{
"no-eval": ["error", {"allowIndirect": true}] // default is false
}
使用 {"allowIndirect": true} 选项的此规则的错误代码示例:
¥Example of incorrect code for this rule with the {"allowIndirect": true} option:
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/
var obj = { x: "foo" },
key = "x",
value = eval("obj." + key);
使用 {"allowIndirect": true} 选项的此规则的正确代码示例:
¥Examples of correct code for this rule with the {"allowIndirect": true} option:
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/
(0, eval)("var a = 0");
var foo = eval;
foo("var a = 0");
this.eval("var a = 0");
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/
/*global window*/
window.eval("var a = 0");
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/
/*global global*/
global.eval("var a = 0");
已知限制
¥Known Limitations
-
即使
eval不是全局的,这条规则也会警告每个eval()。此行为是为了检测直接eval的调用。如:¥This rule is warning every
eval()even if theevalis not global’s. This behavior is in order to detect calls of directeval. Such as:module.exports = function(eval) { // If the value of this `eval` is built-in `eval` function, this is a // call of direct `eval`. eval("var a = 0"); }; -
此规则无法捕获重命名全局对象。如:
¥This rule cannot catch renaming the global object. Such as:
var foo = window; foo.eval("var a = 0");
相关规则
版本
此规则是在 ESLint v0.0.2 中引入。