Formio Eval error

[nidhie2logy]

I am using latest formio js in my project and got error formio.full.min.js:2 Uncaught TypeError: Cannot read properties of undefined (reading 'replace') at y.value (formio.full.min.js:2:219720) at y.value (formio.full.min.js:2:220810) at y.value (formio.full.min.js:2:650932) at y.value (formio.full.min.js:2:651309) at formio.full.min.js:2:339614 at Array.map () at d.value (formio.full.min.js:2:339588) at d.value (formio.full.min.js:2:95108) at d.value (formio.full.min.js:2:95268) at d.value (formio.full.min.js:2:233551)

Error while processing template EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'

Please suggest what to do to resolve EvalError note we have enable unsafe eval in security policy.

Thanks

[lane-formio]

Can you give any additional information such as steps to reproduce and/or a sample code sandbox such as jsfiddle?

[infoe2logy]

@lane-formio Please check below fiddle. If you enable CSP for this link you will get error 'Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'

https://jsfiddle.net/travistidwell/xy9g4oma/

Thanks

[brendanbond]

@infoe2logy you're using a 3.x alpha version, we're now getting ready to release version 5.x. Can you try this with the latest stable version of the renderer (4.20.0 last time I checked) and get back to us? Thanks.

[infoe2logy]

We have face another issue 'Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash'

can we have resolve this issue to remove inline style from formio.js?

Thanks

[brendanbond]

@infoe2logy we'll need a reproducible example, can you give us another JSFiddle?

[infoe2logy]

@brendanbond With same JSFIddle if you enable style-src 'self then it will give error.

If you enable style-src self on this link then also it will give error. https://formio.github.io/formio.js/app/builder.html

[lane-formio]

@infoe2logy Can you provide a jsfiddle or codesandbox using formiojs@4.21.0?

[infoe2logy]

Please check below jsfiddle. https://jsfiddle.net/sx4L3tm1/

Thanks

[brendanbond]

@infoe2logy What do I need to do to trigger the error? I can build a form just fine with no errors.

[infoe2logy]

if you enable style-src 'self then it will give error in js.

[brendanbond]

enable style-src 'self' in what? Are you trying to embed this fiddle somewhere?

[jamesashleyCPA]

enable style-src 'self' in what? Are you trying to embed this fiddle somewhere?

This is related to a CSP issue (we are also encountering it), so asking them to make a fiddle to show the problem may not work. I'm assuming you are familiar with CSPs?

The problem is that the underlying Form.io code is using eval() for applying custom validations, which is blocked by most CSPs.

[brendanbond]

This is related to a CSP issue (we are also encountering it), so asking them to make a fiddle to show the problem may not work.

I didn't ask them to make a fiddle - one was provided to me in the original question that doesn't at all indicate where they're attempting to leverage CSPs to get a Form.io form to embed correctly (iframes? inline scripts? browser extensions?).

The problem is that the underlying Form.io code is using eval() for applying custom validations, which is blocked by most CSPs.

(Mostly) correct, which is why if we knew anything about what OP is trying to do we might be able to point them in the right direction, because the entire point of CSPs is you can opt-in to unsafe execution if you so wish.

I'm closing this issue until we can get an actual question that we can answer.

[jamesashleyCPA]

I'm closing this issue until we can get an actual question that we can answer.

you did.