Query module PseudoEval

name
Call to eval-like DOM function
description
DOM functions that act like ‘eval’ and execute strings as code are dangerous and impede program analysis and understanding. Consequently, they should not be used.
kind
problem
problem.severity
recommendation
id
js/eval-like-call
tags
maintainability external/cwe/cwe-676
precision
very-high

Imports

javascript

Provides classes for working with JavaScript programs, as well as JSON, YAML and HTML.

Classes

DocumentWrite

A call to document.write or document.writeln.

EvilTwin

A call to either setTimeout or setInterval where a string literal is passed as first argument.

ExecScript

A call to window.execScript.

PseudoEval

A call to a DOM function that may evaluate a string as code.