Eval is evil - Githubissues

custom-cards / flex-table-card

Highly Flexible Lovelace Card - arbitrary contents/columns/rows, regex matched, perfect to show appdaemon created content and anything breaking out of the entity_id + attributes concept

GNU General Public License v3.0

208 stars 26 forks source link

Eval is evil #8

Closed riker09 closed 5 years ago

riker09 commented 5 years ago

When displaying external sensor data (e.g. fetched from an API) the usage of eval will execute malicious code in the context of the trusted HA user interface. I know that this probably very far-fetched but I strongly support the plan to

allow "prefix" and "suffix" for each column to add units or similar stuff, means a simplified version of "modify"

And drop eval completely.

daringer commented 5 years ago

yeah had similar thoughts about eval(), how about supporting both, means leaving the decision to the user to go for the higher "risk" eval or use "prefix" and/or "suffix" ?

riker09 commented 5 years ago

That will make everybody happy. The documentation should reflect this and warn the user that the displayed data will pass through eval and that it should be avoided, yaddah, yaddah... :slightly_smiling_face:

daringer commented 5 years ago

Affirmitive!

added prefix, suffix and align for cell-text-alignment.
updated the README.md to make people aware what they are using and the risks
modify will be kept for maximum flexibility
all of the above plays together smoothly with modify

go and get it :smile:

riker09 commented 5 years ago

Seems to work for me. :slightly_smiling_face:

But note the mis-aligned header of the Diesel column:

flex-table-align

Card config

sort_by: diesel_sort_col+
columns:
  - attr_as_list: stations
    modify: x.brand
    name: Tankstelle
  - attr_as_list: stations
    id: diesel_sort_col
    modify: Math.abs(x.diesel)
    hidden: true
  - attr_as_list: stations
    modify: Math.abs(x.diesel).toFixed(2)
    id: diesel_price
    suffix: ' €'
    align: right
    name: Diesel
  - attr_as_list: stations
    modify: Math.abs(x.e5).toFixed(2)
    suffix: ' €'
    align: right
    id: e5_price
    name: Super
  - attr_as_list: stations
    modify: Math.abs(x.dist).toFixed(1)
    align: right
    id: distance
    suffix: ' km'
    name: Distanz
entities:
  include: sensor.gas_prices
max_rows: 10
title: Spritpreise
type: 'custom:flex-table-card'

daringer commented 5 years ago

ok, so this looks fixed for me, the format issue inside the is kinda weird, also saw this once, but couldn't reproduce.

if this persists, can you please open another ticket for this, maybe also with some insight what happens if you "inspect" this element and start to play with it's css attributes...