noUse of eval is strongly discouraged

ghalex / vue3-charts

Vue3-Charts is an SVG-based charting library that is very easy to use and highly customizable

https://vue3charts.org

MIT License

135 stars 23 forks source link

noUse of eval is strongly discouraged #36

Open wilberforce opened 2 years ago

wilberforce commented 2 years ago

Thanks for a great package!

On build I get noUse of eval is strongly discouraged, as it poses security risks and may cause issues with minification

https://github.com/ghalex/vue3-charts/blob/dc07846bbcc4b1d293dbd1bec42af240f2187e89/src/models/Scale.ts#L96-L103

Can't this be re-written without eval ?

ghalex commented 2 years ago

Hi @wilberforce,

The idea of eval here is to allow the ability to write dynamic domain like:

['dataMin * 2', 'dataMax * 4 + 100']

I don't see how this can be done without eval but if you have any ideas they are welcome.

Thanks, Alexandru

wilberforce commented 2 years ago

Hi, untested - however this will do it I think!

const [dataMin, dataMax] = extent(Array.from(new Set(values.concat([valueMin || 0, valueMax || 0]))))
  function yMin() { return `${domain[0]}` }
  function yMax () { return `${domain[1]}` }
  return [yMin(), yMax()]

psykora commented 1 year ago

Hi Alexandru (@ghalex),

how about allowing functions (DataExtent) => AxisRange directly instead of string for evaluation?

i.e. replacing this ['dataMin * 2', 'dataMax * 4 + 100'] with this ([dataMin, dataMax]) => [dataMin*2, dataMax*4 + 100]

if user supplies [constant, constant] instead of functions, it will work as before.

The complete working proposal is here is here: https://github.com/psykora/vue3-charts/commit/880cbcf3e9bdadabf5c087fc40e317aa35e05fc9

It is a breaking change though.

Thanks, Peter.