Closed awalvekar1 closed 6 months ago
lukaszlenart
commented
1 year ago But that should be just a report, and there is no way to replace eval() with a safer option. In Struts 6.2.0 it will be possible to configure a different kind of policy which allows using eval()
gregh3269
commented
10 months ago In the past I have replaced these with a function.
As they are all the same you can just use
function fixMe(obj) {
return Function('"use strict"; return (' + obj + ')')();
}and in the code
//dao = eval("( " + daos + " )"); dao = fixMe(daos);
lukaszlenart
commented
10 months ago I tried this trick but got
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive:
"script-src 'nonce-TC4oMKNtwRRvTH4CcPPZvKQ0' 'strict-dynamic' http: https:".What page/link is this on?
...I have tested it and it seems works, note it needs to be a capital F in Function.
lukaszlenart
commented
10 months ago I'm working on some other solution based on this https://stackoverflow.com/a/7127804
gregh3269
commented
10 months ago This was added in ES5.
eg in the drag and drop it is evaluating these:
{handle: 'h3', revert: 'invalid'} {accept: '.accept', classes: {'ui-droppable-active': 'ui-state-active', 'ui-droppable-hover': 'ui-state-hover'}}
lukaszlenart
commented
10 months ago @awalvekar1 & @gregh3269 see the PR
gregh3269
commented
10 months ago Seems OK, the change was just to remove the eval?
lukaszlenart
commented
10 months ago Yes, there are some code re-formats automatically applied by the IDEA plus some small improvements around satisfying CSP
gregh3269
commented
10 months ago More digging, can you check the drag and drop under Effects and Iterations. For me does not work. The eval is needed.
There is this warning with fixMe. Content-Security-Policy: The page's settings observed the loading of a resource at eval ("script-src"). A CSP report is being sent.
Also there are these: Content-Security-Policy: The page's settings observed the loading of a resource at inline ("script-src"). A CSP report is being sent. Source: javascript:void(0)
Function(..) "function constructor to create function from string", CSP3 >> and are considered unsafe if the argument is passed as a string, in terms of content security policy.
Eval and Function(..), there are differences, scope of variables and "use strict";
Just leave the eval?
lukaszlenart
commented
6 months ago @gregh3269 check now, I used Function() and as far I see the drag&drop example works.
gregh3269
commented
6 months ago Drag and drop works OK (branch feature/avoid-eval).
The JavaScript file jquery.ui.struts2.js, contains
eval()function at many places (line numbers: 74, 105, 134, 165, 200, 328, 600, 608). Chrome and Firefox browsers flag this as unsafe and violation of Content Security Policy.Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'nonce-avQoXXDogPwDtuMDAzKjjK7R' 'strict-dynamic' http: https:"Can someone look into this and replace unsafe eval() functions with safer alternatives?