New
Introducing React Doctor for Enterprise

react-doctor/no-eval

Use `JSON.parse` for serialized data, `Function(...)` (still careful) for trusted templates, or refactor to avoid dynamic code execution

  • Category: Security
  • Severity: error
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: always

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Confirm one of three AST shapes: a bare eval(...) Identifier call, a new Function(...) NewExpression, or setTimeout / setInterval whose first argument is a string literal (the rule does not flag function-valued first arguments). True positives are almost always real code-injection or CSP-violating risks.

Fix prompt

Use this once validation confirms the diagnostic is real.

Parse data with JSON.parse, replace string-arg timers with arrow functions (setTimeout(() => doThing(), 100) instead of setTimeout("doThing()", 100)), and refactor templated code generation into a pre-compiled function or lookup table. If dynamic evaluation is truly required, sandbox it in a Web Worker or a strict Trusted Types CSP context. See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!

More Security rules from the rules reference:

  • react-doctor/no-secrets-in-client-code: Move secrets to server-only code. Public client environment variables are bundled into browser code and must not contain secrets
  • react-doctor/nosql-injection-risk: Building a NoSQL query from raw client input lets an attacker inject operator-shaped keys or `$where` code and read or alter data they should not.
  • react-doctor/package-metadata-secret: A secret or public-prefixed secret name in `package.json` leaks easily, because package metadata is routinely published to registries, logs, and browser bundles.
  • react-doctor/path-traversal-risk: Building a filesystem path from request input lets an attacker use `..` or absolute paths to read or write files outside the intended directory.
  • react-doctor/plugin-update-trust-risk: Downloading and running an update or plugin without verifying its integrity lets an attacker ship malicious code to your users.