Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule Option Proposal: `no-eval` allows indirect-evals #4441

Closed
mysticatea opened this Issue Nov 16, 2015 · 4 comments

Comments

Projects
None yet
3 participants
@mysticatea
Copy link
Member

mysticatea commented Nov 16, 2015

Spawned from #4399

Indirect eval calls are not danger relatively than direct eval calls.
So I propose an option to allow indirect eval calls.

{
    "no-eval": [2, {"allowIndirect": true}] // default is false
}

This option considers the following patterns are problem:

eval("var a = 0");

This option considers the following patterns are NOT problem:

(0, eval)("var a = 0");

function foo(eval) {
    eval("var a = 0");
}
foo(eval);

I'm happy to work on this.

@michaelficarra

This comment has been minimized.

Copy link
Member

michaelficarra commented Nov 16, 2015

For the second example (function foo ...), it should be stated that this is a direct eval, but we just can't catch it. So this is also not reported if allowIndirect is false.

@mysticatea

This comment has been minimized.

Copy link
Member Author

mysticatea commented Nov 16, 2015

Wow... function foo(eval) { eval("var a = 0"); } is a direct eval?

@michaelficarra

This comment has been minimized.

Copy link
Member

michaelficarra commented Nov 16, 2015

Yep. See #4399 (comment).

@mysticatea

This comment has been minimized.

Copy link
Member Author

mysticatea commented Nov 16, 2015

Ah... sorry, thank you.
Hmm.

@mysticatea mysticatea self-assigned this Nov 18, 2015

mysticatea added a commit to mysticatea/eslint that referenced this issue Nov 21, 2015

Fix: `no-eval` come to catch indirect eval (fixes eslint#4399, fixes e…
…slint#4441)

- Functions to detect `this` binding is default were extracted to AST
Utils from `no-invalid-this`. And `no-eval` is using this utility.
- `allowIndirect` option was added to `no-eval` in order to keep old
behavior.

mysticatea added a commit to mysticatea/eslint that referenced this issue Nov 21, 2015

Fix: `no-eval` come to catch indirect eval (fixes eslint#4399, fixes e…
…slint#4441)

- Functions to detect `this` binding is default were extracted to AST
Utils from `no-invalid-this`. And `no-eval` is using this utility.
- `allowIndirect` option was added to `no-eval` in order to keep old
behavior.

@mysticatea mysticatea closed this in 13c8b06 Dec 1, 2015

@eslint eslint bot locked and limited conversation to collaborators Feb 7, 2018

@eslint eslint bot added the archived due to age label Feb 7, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.