Index

no-eval

禁止使用 eval()

JavaScript 的 eval() 函数可能很危险,并且经常被滥用。在不受信任的代码上使用 eval() 可能会使程序面临多种不同的注入攻击。在大多数情况下,eval() 的使用可以被更好、更合适的解决方法所替代。

🌐 JavaScript’s eval() function is potentially dangerous and is often misused. Using eval() on untrusted code can open a program up to several different injection attacks. The use of eval() in most contexts can be substituted for a better, alternative approach to a problem.

const obj = { x: "foo" },
    key = "x",
    value = eval("obj." + key);

规则详情

🌐 Rule Details

此规则旨在通过禁止使用 eval() 函数来防止潜在的危险、不必要和低效的代码。因此,每当使用 eval() 函数时,它都会发出警告。

🌐 This rule is aimed at preventing potentially dangerous, unnecessary, and slow code by disallowing the use of the eval() function. As such, it will warn whenever the eval() function is used.

此规则的错误代码示例:

🌐 Examples of incorrect code for this rule:

在线运行 
/*eslint no-eval: "error"*/

const obj = { x: "foo" },
    key = "x",
    value = eval("obj." + key);

(0, eval)("const a = 0");

const foo = eval;
foo("const a = 0");

// This `this` is the global object.
this.eval("const a = 0");

此规则针对 window 全局变量的额外 错误 代码示例:

🌐 Example of additional incorrect code for this rule with window global variable:

在线运行 
/*eslint no-eval: "error"*/
/*global window*/

window.eval("const a = 0");

此规则关于 global 全局变量的额外 错误 代码示例:

🌐 Example of additional incorrect code for this rule with global global variable:

在线运行 
/*eslint no-eval: "error"*/
/*global global*/

global.eval("const a = 0");

符合此规则的正确代码示例:

🌐 Examples of correct code for this rule:

在线运行 
/*eslint no-eval: "error"*/

const obj = { x: "foo" },
    key = "x",
    value = obj[key];

class A {
    foo() {
        // This is a user-defined method.
        this.eval("const a = 0");
    }

    eval() {
    }

    static {
        // This is a user-defined static method.
        this.eval("const a = 0");
    }

    static eval() {
    }
}

选项

🌐 Options

allowIndirect

此规则有一个选项允许 “间接 eval”。 对 eval 的间接调用比对 eval 的直接调用危险性小,因为它们不能动态改变作用域。正因为如此,它们也不会像直接 eval 那样对性能产生负面影响。

🌐 This rule has an option to allow “indirect eval”. Indirect calls to eval are less dangerous than direct calls to eval because they cannot dynamically change the scope. Because of this, they also will not negatively impact performance to the degree of direct eval.

{
    "no-eval": ["error", {"allowIndirect": true}] // default is false
}

使用 {"allowIndirect": true} 选项违反此规则的错误代码示例:

🌐 Example of incorrect code for this rule with the {"allowIndirect": true} option:

在线运行 
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/

const obj = { x: "foo" },
    key = "x",
    value = eval("obj." + key);

使用 {"allowIndirect": true} 选项时,此规则的正确代码示例:

🌐 Examples of correct code for this rule with the {"allowIndirect": true} option:

在线运行 
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/

(0, eval)("const a = 0");

const foo = eval;
foo("const a = 0");

this.eval("const a = 0");
在线运行 
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/
/*global window*/

window.eval("const a = 0");
在线运行 
/*eslint no-eval: ["error", {"allowIndirect": true} ]*/
/*global global*/

global.eval("const a = 0");

已知限制

🌐 Known Limitations

  • 这个规则会警告每一个 eval(),即使 eval 不是全局的。 这种行为是为了检测直接调用 eval。例如:

    module.exports = function(eval) {
    // If the value of this `eval` is built-in `eval` function, this is a
    // call of direct `eval`.
    eval("const a = 0");
};

  • 此规则无法检测全局对象的重命名。例如:

    const foo = window;
foo.eval("const a = 0");

版本

此规则是在 ESLint v0.0.2 中引入。

进阶读物

资源