search

NicolasCARPi / jquery_jeditable

jQuery edit in place plugin. Extendable via plugin architecture. Plugins for plugin. Really.
https://jeditable.elabftw.net
MIT License
1.74k stars 459 forks source link

Unsafe use of eval method #151

Closed jsilland closed 6 years ago

jsilland commented 8 years ago

My website is making use of this plugin and we are in the process of implementing a Content Security Policy, a longstanding W3C recommendation aiming to make websites more secure.

One of the reports we have observed and that I am presently working on eliminating, is the use of Javascript's eval method, which essentially allows data, possibly containing user-injected content, to be treated as code: https://github.com/tuupola/jquery_jeditable/blob/dea6556ad6e578601bc432781a695a6e255618ce/jquery.jeditable.js#L490 — this is bad for a variety of reasons

It appears to me that vulnerability could be simply addressed by replacing this statement with a call to JSON.parse. If you agree with this analysis, I'd be happy to send a PR to address that.

2braincells2go commented 7 years ago

@jsilland Was wondering if you ever forked and maybe made changes to rid eval? Causing all kinds of issue on school server and we either must retire jeditable or get it fixed. Really hate to lose!

Thanks in advance.

Woody

NicolasCARPi commented 6 years ago

Hello, this bug has been fixed. Stay tuned for the next version (if you're still using it!) :)