Opened 11 years ago

Closed 11 years ago

#10540 closed Bug (duplicate)

Do not use eval because it violates Content Security Policy ("unsafe-inline")

Reported by: Piotrek Koszuliński Owned by:
Priority: Normal Milestone:
Component: General Version:
Keywords: Cc:

Description

Reported on GitHub: https://github.com/ckeditor/ckeditor-dev/commit/321ddbbe74a

We use eval in env.js and a function constructor in templates. Worth checking if we're not using setTimeout or setInterval with string somewhere in older code.

Change History (2)

comment:1 Changed 11 years ago by Jakub Ś

Below is part of http://www.w3.org/TR/CSP/ spec:

If 'unsafe-eval' is not in allowed script sources:

  • Instead of evaluating their arguments, both operator eval and function eval must throw a security exception. [ECMA-262]
  • When called as a constructor, the function Function must throw a security exception. [ECMA-262]
  • When called with a first argument that is non-callable (e.g., not a function), the setTimeout function must return zero without creating a timer.
  • When called with a first argument that is non-callable (e.g., not a function), the setInterval function must return zero without creating a timer.

The term callable refers to an object whose interface has one or more callers as defined in the Web IDL specification [WEBIDL].

There is more general ticket about CSP - #8584 so this is a small duplicate of the former ticket.

comment:2 Changed 11 years ago by Jakub Ś

Resolution: duplicate
Status: newclosed

DUP of #8584.

Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy