Closed will-newmarch closed 5 years ago
mappu
commented
6 years ago We're having issues too. Replacing the whole _globals section with window.doT = doT; gets past the first hurdle, but after that, the rest of the code is heavily based on new Function which is eval() in disguise.
drewlee
commented
5 years ago We have also ran into this issue with an NPM module due to doT being used as a transient dependency. Using eval is a definite code smell/bad pattern from a security perspective. Is this project under active maintenance anymore? This seems to be a rather contentious issue to ignore.
fomenyesu
commented
5 years ago I had set the Content-Security-Policy to "script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'" fix the error
epoberezkin
commented
5 years ago The solution is to either allow eval (as above) or better to precompile templates as part of build step and deploy functions.
Is there any possible way the use of 'eval' could be removed from the library? (I realise this might be quite an integral part)
https://github.com/olado/doT/blob/8cae202f96aab66b644007c63fc38bc9e6ffaa8c/doT.js#L40
We are having issues with it triggering security warnings around - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
Apparently as part of tightening security using CSP headers eval() is increasingly non-viable.