Skip to main content

no-eval

JavaScript’s eval() function is potentially dangerous and often misused. It can open programs to injection attacks and is slow.
Rule Type: Suggestion
Fixable: No

Why This Rule Exists

  • Security: eval() on untrusted input can execute malicious code
  • Performance: Code in eval() can’t be optimized
  • Debugging: Harder to debug code in eval()
  • Better alternatives: Almost always unnecessary

Rule Details

This rule warns whenever eval() is used.

Examples

Incorrect Code

Correct Code

Why eval() Is Dangerous

Code Injection

eval() with user input can execute arbitrary code.

Performance

Common Use Cases and Alternatives

Dynamic Property Access

JSON Parsing

Dynamic Code Generation

Template Strings

Computed Property Names

Configuration Objects

Safe Alternatives

Sandboxed Evaluation

If you must evaluate code, use a sandbox:

Expression Evaluators

Template Engines

Options

allowIndirect

Type: boolean
Default: false
Allow indirect calls to eval() (less dangerous than direct calls).
With allowIndirect: true
Indirect eval is slightly less dangerous because it runs in global scope, not local scope.

Security Examples

XSS Attack

Data Theft

When Not to Use It

Rarely appropriate to disable this rule. Consider it only if:
  1. You’re building a code evaluation tool (IDE, REPL)
  2. You have strict input validation and sandboxing
  3. You’re using eval in a build tool (not runtime)
Even then, look for safer alternatives first.

Temporary Disable

If absolutely necessary:
But add a comment explaining why it’s necessary and safe.

Further Reading