Call to eval-like DOM function¶
ID: js/eval-like-call
Kind: problem
Security severity: 
Severity: recommendation
Precision: very-high
Tags:
   - quality
   - maintainability
   - readability
   - external/cwe/cwe-676
Query suites:
   - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Several DOM functions allow evaluating strings as code without using eval explicitly. They should be avoided for the same reason as eval itself.
Recommendation¶
When calling setTimeout or setInterval, do not pass it a string to evaluate but a function.
Instead of using document.write to insert raw HTML into the DOM, use a framework such as jQuery.
Example¶
In the following example, setTimeout is used to register a callback. The code to execute once the timeout expires is given as a string; this is bad practice.
setTimeout("notifyUser();", 1000);
Instead, directly pass the function to be invoked to setTimeout like this:
setTimeout(notifyUser, 1000);
References¶
- D. Crockford, JavaScript: The Good Parts, Appendix B.3. O’Reilly, 2008. 
- Common Weakness Enumeration: CWE-676.