no-implied-eval
Using string arguments withsetTimeout(), setInterval(), or execScript() is an implied eval() with similar security and performance concerns.
Rule Type: Suggestion
Fixable: No
Fixable: No
Why This Rule Exists
Passing strings to timer functions is evaluated likeeval():
- Security risks: String code can be exploited
- Performance: Can’t be optimized
- Global scope: Executes in global scope
- Better alternative: Pass functions instead
Rule Details
This rule disallows string arguments tosetTimeout(), setInterval(), and execScript().
Examples
Incorrect Code
Correct Code
Understanding Implied Eval
How String Arguments Work
Security Risk
Common Patterns and Fixes
Simple Function Call
With Arguments
Multiple Statements
Dynamic Code
Global Variable Assignment
Performance Comparison
Modern Alternatives
Arrow Functions
Function References
Bound Functions
execScript
execScript() is an Internet Explorer-only function that’s now obsolete.Scope Differences
Migration Guide
Find All Instances
Automated Fix
Complex Cases
When Not to Use It
This rule should almost never be disabled. If you think you need string arguments to timers:- Restructure to use functions
- If truly impossible, document why and use eval alternatives