Skip to main content

no-implied-eval

Using string arguments with setTimeout(), setInterval(), or execScript() is an implied eval() with similar security and performance concerns.
Rule Type: Suggestion
Fixable: No

Why This Rule Exists

Passing strings to timer functions is evaluated like eval():
  • Security risks: String code can be exploited
  • Performance: Can’t be optimized
  • Global scope: Executes in global scope
  • Better alternative: Pass functions instead

Rule Details

This rule disallows string arguments to setTimeout(), setInterval(), and execScript().

Examples

Incorrect Code

Correct Code

Understanding Implied Eval

How String Arguments Work

String arguments to setTimeout/setInterval are evaluated like eval().

Security Risk

Common Patterns and Fixes

Simple Function Call

With Arguments

Multiple Statements

Dynamic Code

Global Variable Assignment

Performance Comparison

Modern Alternatives

Arrow Functions

Function References

Bound Functions

execScript

execScript() is an Internet Explorer-only function that’s now obsolete.

Scope Differences

Migration Guide

Find All Instances

Automated Fix

Complex Cases

When Not to Use It

This rule should almost never be disabled. If you think you need string arguments to timers:
  1. Restructure to use functions
  2. If truly impossible, document why and use eval alternatives

Configuration