Call setTimeout with function expression.

[diegocr]

In order to prevent vulnerabilities, the setTimeout and setInterval functions should be called only with function expressions as their first argument.

[dmethvin]

I'm not sure I understand. I think you're referring to the use of a string as the first arg, which doesn't apply here. Can you point to a reference that supports your suggestion?

[diegocr]

Hi @dmethvin

I'm submitting an add-on to the Mozilla website (addons.mozilla.org) containing your lib, and their code validator is complaining with the following:

Warning: `setTimeout` called in potentially dangerous manner
In order to prevent vulnerabilities, the `setTimeout` and `setInterval` functions should be called only with function expressions as their first argument.
    Automated signing severity: high
    Suggestions for passing automated signing:
Please do not ever call `setTimeout` or `setInterval` with string arguments. If you are passing a function which is not being correctly detected as such, please consider passing a closure or arrow function, which in turn calls the original function.
    Tier:   3
    File:   js/vendor/jquery.mousewheel.js
    Line:   181
    Column: 33
    Context:
    > if (nullLowestDeltaTimeout) { clearTimeout(nullLowestDeltaTimeout); }
    > nullLowestDeltaTimeout = setTimeout(nullLowestDelta, 200);
    > 

Apparently the main concern here is that the validator has no reliably way of knowing if nullLowestDelta is really a function or a string (or if it could turn into a string at some point)

[dmethvin]

Okay, so it's a limitation in their tool. I don't see any harm in this change and would have done it this way to begin with, so LGTM. I just wanted to be sure I understood why the change was being made.

[diegocr]

Thank you! (as long LGTM stand for "let's get this merged" :))

Seriously, the Mozilla Editors don't allow including modified vendor files in extensions, hence this getting merged here will make their and my life easier.