Issue summary:
https://groups.google.com/forum/#!topic/simile-widgets/j0Fmgtcrke8
I have been a user of timeline.js for over a year now and must say I really
impressed by it and its community.
I have query regarding the use of eval in src\webapp\api\scripts\timeline.js.
I read a lot about eval being bad and all, so was wondering can you not replace
the use of eval in Timeline.loadJSON && Timeline._Impl.prototype.loadJSON
method with something like this for peace of mind:
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
// JSON.parse does not evaluate the attacker's scripts.
var resp = JSON.parse(xhr.responseText);
}
}
Source: Cross-Origin XMLHttpRequest
http://developer.chrome.com/extensions/xhr.html
Original issue reported on code.google.com by ddas...@gmail.com on 8 Aug 2013 at 9:01
Original issue reported on code.google.com by
ddas...@gmail.comon 8 Aug 2013 at 9:01Attachments: