CodeQL documentation

Call to eval-like DOM function

ID: js/eval-like-call
Kind: problem
Severity: recommendation
Precision: very-high
   - maintainability
   - external/cwe/cwe-676
Query suites:
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Several DOM functions allow evaluating strings as code without using eval explicitly. They should be avoided for the same reason as eval itself.


When calling setTimeout or setInterval, do not pass it a string to evaluate but a function.

Instead of using document.write to insert raw HTML into the DOM, use a framework such as jQuery.


In the following example, setTimeout is used to register a callback. The code to execute once the timeout expires is given as a string; this is bad practice.

setTimeout("notifyUser();", 1000);

Instead, directly pass the function to be invoked to setTimeout like this:

setTimeout(notifyUser, 1000);


  • D. Crockford, JavaScript: The Good Parts, Appendix B.3. O’Reilly, 2008.

  • Common Weakness Enumeration: CWE-676.