Call to eval-like DOM function¶
ID: js/eval-like-callKind: problemSecurity severity: Severity: recommendationPrecision: very-highTags: - quality - maintainability - readability - external/cwe/cwe-676Query suites: - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Several DOM functions allow evaluating strings as code without usingeval explicitly. They should be avoided for the same reason aseval itself.
Recommendation¶
When callingsetTimeout orsetInterval, do not pass it a string to evaluate but a function.
Instead of usingdocument.write to insert raw HTML into the DOM, use a framework such asjQuery.
Example¶
In the following example,setTimeout is used to register a callback. The code to execute once the timeout expires is given as a string; this is bad practice.
setTimeout("notifyUser();",1000);
Instead, directly pass the function to be invoked tosetTimeout like this:
setTimeout(notifyUser,1000);
References¶
D. Crockford,#"https://cwe.mitre.org/data/definitions/676.html">CWE-676