Area of impact
Covered by Quality Clouds
Covered by free scan utility
== comparison operator always converts (to matching types) before comparison.
=== operator forces comparison of values and type.
Avoid use of
eval() function is used to run text as code. In almost all cases, it should not be necessary to use it. Because it allows arbitrary code to be run, it also represents a security problem.
Loops can become slow if not done right.
And an even shorter way of achieving this is to create a second variable in the pre-loop statement.
Another thing to ensure is that you keep computation-heavy code outside loops. This includes regular expressions and — more importantly — DOM manipulation. You can create the DOM nodes in the loop but avoid inserting them into the document.
Avoid use of
The use of alerts functions is discouraged in Production environments, as it could inadvertently expose sensitive data or program internals.
Avoid use of local storage on Client Scripts
HTML 5 allows developers to store megabytes of data on the client-side. This can be a security vulnerability as the data is not encrypted by default.
targetOrigin on cross-domain messaging
HTML 5 allows for the exchange of messages between different Window objects. The window.postMessage() function can be used to achieve this, but using the wildcard * targetOrigin in this function can allow a malicious site to intercept messages being passed between your application Windows. Therefore, uses of the window.postMessage method such as window.postMessage("Message", *); should always be avoided.
See this reference for further details.
Avoid use of
Function constructors are similar to the Eval function in that will transform any String into executable code. From this point of view, they are a serious security vulnerability.
Additionally, each time the
Function constructor is called on a string representing source code, the script engine must start the machinery that converts the source code to executable code. This is usually expensive for performance - easily a hundred times more expensive than a simple function call, for example.
Function constructor does not affect the code surrounding the use, but it can still be quite slow.
Avoid use of WebDB
The Web SQL Database (https://www.w3.org/TR/webdatabase/) was a failed attempt by the W3C to introduce a set of APIs to manipulate client-side databases using SQL. It is not implemented by all browsers, but any possible references to it should be avoided, as only a user name is required to access the data stored in these repositories.
Avoid use of debugging statements
A common development practice is to add "back door" code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.
Avoid making connections on unsecure protocols