partridgejiang
commented
4 years ago Thanks for the remind. Now the calls of new Function() has been modified. Some eval calls are also changed. Please check the latest dist files in the repo.
Open jhirshman opened 4 years ago
partridgejiang
commented
4 years ago Thanks for the remind. Now the calls of new Function() has been modified. Some eval calls are also changed. Please check the latest dist files in the repo.
jhirshman
commented
4 years ago Thank you for making that change. I will pull down and work with the latest version.
NicolasCARPi
commented
4 years ago Hello,
I'm currently trying to see if this project could be a good addition to eLabFTW (an ELN).
The first hurdle (after adding a file-loader for .png and .cur to webpack), is the CSP policy, which is strict on eLab.
The last release was quite a long time ago. Do you think it would be possible to make a new release?
Using the latest from master seems to fix some issues but not all (there are still some evil eval() out there).
partridgejiang
commented
4 years ago Yes, there are several other places of eval() in codes. I am on a trip currently and should inspect them later, :).
partridgejiang
commented
3 years ago @NicolasCARPi, sorry for the delay but now all the eval() calls has been removed from the library. Please check the latest dist files.
NicolasCARPi
commented
3 years ago Thanks @partridgejiang. I'll give it another try!
This package's use of "new Function" causes the code in this library to violate our content security policy. This could be avoided by spelling out the anonymous function instead because never is it the case that the function is not actually dynamically generated.
For example,
var a = new Function('return 3;');can be replaced withvar a = (function anonymous() { return 3; });Additionally, there are "evals" in the code that could probably be removed.