Closed lee-smith-gl closed 6 months ago
I could easily remove it from the optional chaining detection, and I can try to do that sometime this week (perhaps today), however, it does not make sense to remove it from the compiler path of the library.
If you're unable to use eval
or new Function
or something similar, you cannot make use of the sandboxed logic compiler, which optimizes performance of the logic. Any other mechanism would be an attempt to subvert the intentions of the unsafe-eval
csp.
However: You will be able to use logic.run
instead, though, which for most use cases, should be more than performant.
Thanks for the fast, comprehensive reply. We've refactored our code, replacing logic.build usage with logic.run, resolving our CSP violiation.
Thanks again.
Hi,
I am currently working on an Angular (v16.2.9) application that uses the json-logic-engine library.
While implementing a Content Security Policy (CSP), I discovered that the library's use of eval is causing a violation of the CSP guidelines.
Is there any possibility that the library could be refactored to eliminate the use of eval?
The repository includes two instances of the eval function:
https://github.com/TotalTechGeek/json-logic-engine/blob/master/utilities/chainingSupported.js
and:
https://github.com/TotalTechGeek/json-logic-engine/blob/master/compiler.js
Any help would be greatly appreciated.