File .deepsource.toml
not found in the default branch of the repository root. Please refer to the docs.
eval()
-like method JS-0330 73 }
74 );
75
76 const resolveAfter3Sec = new Promise((resolve) => setTimeout(resolve, 3000)); 77
78 const transferSubscriptionsMutation = useMutation(
79 (post: TransferSub) => Stripe.transferSubscriptions(post),
Executing JavaScript from an arbitrary string can greatly compromise your application's security.
It is possible to achieve eval
-like behaviour from incorrect use of the following functions:
setTimeout()
, setInterval()
, setImmediate()
and execScript()
(Internet Explorer only).
All of them are capable of accepting a string as their first argument and then interpreting it as JavaScript code in the global scope.
This leaves your application vulnerable to several security threats.
setTimeout('alert("Hi!");', 100);
Using the Function
constructor also has similar behavior, wherein it interprets a string as JavaScript code:
const fn = new Function('a', 'b', 'return a + b');
setTimeout('alert("Hi!");', 100);
// or:
execScript('alert("Hi!")');
// or:
window.setInterval('foo = bar', 10);
// or:
const callback = new Function('err', 'res', 'store(res.data);');
setTimeout(function () {
alert('Hi!');
}, 100);
execScript(function () {
alert('Hi!');
});
const callback = (err, res) => {
store(res.data);
}