no-eval
JavaScript’seval() function is potentially dangerous and often misused. It can open programs to injection attacks and is slow.
Rule Type: Suggestion
Fixable: No
Fixable: No
Why This Rule Exists
- Security:
eval()on untrusted input can execute malicious code - Performance: Code in
eval()can’t be optimized - Debugging: Harder to debug code in
eval() - Better alternatives: Almost always unnecessary
Rule Details
This rule warns whenevereval() is used.
Examples
Incorrect Code
Correct Code
Why eval() Is Dangerous
Code Injection
Performance
Common Use Cases and Alternatives
Dynamic Property Access
JSON Parsing
Dynamic Code Generation
Template Strings
Computed Property Names
Configuration Objects
Safe Alternatives
Sandboxed Evaluation
If you must evaluate code, use a sandbox:Expression Evaluators
Template Engines
Options
allowIndirect
Type: booleanDefault:
false
Allow indirect calls to eval() (less dangerous than direct calls).
Indirect eval is slightly less dangerous because it runs in global scope, not local scope.
Security Examples
XSS Attack
Data Theft
When Not to Use It
Rarely appropriate to disable this rule. Consider it only if:- You’re building a code evaluation tool (IDE, REPL)
- You have strict input validation and sandboxing
- You’re using eval in a build tool (not runtime)