no-implied-eval
Disallow the use of
eval()-like functions.
该规则需要 类型信息 才能运行,但这会带来性能方面的权衡。
This is an "extension" rule that replaces a core ESLint rule to work with TypeScript. See Rules > Extension Rules.
This rule extends the base no-implied-eval rule from ESLint core. 它使用类型信息来确定哪些值是类似 eval() 的函数。
¥It uses type information to determine which values are eval()-like functions.
避免使用 eval() 被认为是一种很好的做法。这样做涉及安全性和性能问题,这就是为什么许多 linters 建议不允许 eval()。然而,还有一些其他方法可以传递字符串并将其解释为具有类似问题的 JavaScript 代码。
¥It's considered a good practice to avoid using eval(). There are security and performance implications involved with doing so, which is why many linters recommend disallowing eval(). However, there are some other ways to pass a string and have it interpreted as JavaScript code that have similar concerns.
第一种是使用 setTimeout()、setInterval()、setImmediate 或 execScript()(仅限 Internet Explorer),它们都可以接受代码字符串作为其第一个参数
¥The first is using setTimeout(), setInterval(), setImmediate or execScript() (Internet Explorer only), all of which can accept a string of code as their first argument
setTimeout('alert(`Hi!`);', 100);
或使用 new Function()
¥or using new Function()
const fn = new Function('a', 'b', 'return a + b');
这被视为隐含的 eval(),因为传入了一串代码进行解释。setInterval()、setImmediate() 和 execScript() 也可以这样做。所有这些都在全局作用域内解释 JavaScript 代码。
¥This is considered an implied eval() because a string of code is
passed in to be interpreted. The same can be done with setInterval(), setImmediate() and execScript(). All interpret the JavaScript code in the global scope.
最佳做法是避免使用 new Function() 或 execScript(),并始终对 setTimeout()、setInterval() 和 setImmediate() 的第一个参数使用函数。
¥The best practice is to avoid using new Function() or execScript() and always use a function for the first argument of setTimeout(), setInterval() and setImmediate().
示例
¥Examples
此规则旨在通过使用 new Function()、setTimeout()、setInterval()、setImmediate() 或 execScript() 消除隐含的 eval()。
¥This rule aims to eliminate implied eval() through the use of new Function(), setTimeout(), setInterval(), setImmediate() or execScript().
- ❌ Incorrect
- ✅ Correct
setTimeout('alert(`Hi!`);', 100);
setInterval('alert(`Hi!`);', 100);
setImmediate('alert(`Hi!`)');
execScript('alert(`Hi!`)');
window.setTimeout('count = 5', 10);
window.setInterval('foo = bar', 10);
const fn = '() = {}';
setTimeout(fn, 100);
const fn = () => {
return 'x = 10';
};
setTimeout(fn(), 100);
const fn = new Function('a', 'b', 'return a + b');
setTimeout(function () {
alert('Hi!');
}, 100);
setInterval(function () {
alert('Hi!');
}, 100);
setImmediate(function () {
alert('Hi!');
});
execScript(function () {
alert('Hi!');
});
const fn = () => {};
setTimeout(fn, 100);
const foo = {
fn: function () {},
};
setTimeout(foo.fn, 100);
setTimeout(foo.fn.bind(this), 100);
class Foo {
static fn = () => {};
}
setTimeout(Foo.fn, 100);
如何使用
- Flat Config
- Legacy Config
export default tseslint.config({
rules: {
// Note: you must disable the base rule as it can report incorrect errors
"no-implied-eval": "off",
"@typescript-eslint/no-implied-eval": "error"
}
});
module.exports = {
"rules": {
// Note: you must disable the base rule as it can report incorrect errors
"no-implied-eval": "off",
"@typescript-eslint/no-implied-eval": "error"
}
};
在线运行试试这个规则 ↗
选项
See eslint/no-implied-eval's options.
何时不使用它
¥When Not To Use It
如果你的项目是罕见的需要允许 new Function() 或 setTimeout()、setInterval()、setImmediate() 和 execScript() 带有字符串参数的项目,那么你可以禁用此规则。你可以考虑在这些特定情况下使用 ESLint 禁用注释,而不是完全禁用此规则。
¥If your project is a rare one that needs to allow new Function() or setTimeout(), setInterval(), setImmediate() and execScript() with string arguments, then you can disable this rule.
You might consider using ESLint disable comments for those specific situations instead of completely disabling this rule.
Type checked lint rules are more powerful than traditional lint rules, but also require configuring type checked linting.
See Troubleshooting > Linting with Type Information > Performance if you experience performance degradations after enabling type checked rules.
'## 资源'
Taken with ❤️ from ESLint core.