It looks like the only use of eval() in this extension is in
https://code.google.com/p/chrometophone/source/browse/trunk/extension/channel.js
, which is using it to parse JSON. This is a particularly unsafe use of eval,
since the returned JSON data could include arbitrary code, and it's easy to
replace the use with JSON.parse().
I also see two setTimeout() calls in send_logic.js that could be fixed up by
removing the quotes around their function argument.
And, finally, there's some Closure-junk in channel.js ('new
Function("a","return a")'), which could be removed by re-importing
https://talkgadget.google.com/talkgadget/channel.js or by textually replacing
it with 'function(a){return a}'.
Original issue reported on code.google.com by jyasskin@chromium.org on 13 Dec 2013 at 12:35
Original issue reported on code.google.com by
jyasskin@chromium.orgon 13 Dec 2013 at 12:35