Opened 6 years ago

Closed 6 years ago

#10540 closed Bug (duplicate)

Do not use eval because it violates Content Security Policy ("unsafe-inline")

Reported by: Piotrek Koszuliński Owned by:
Priority: Normal Milestone:
Component: General Version:
Keywords: Cc:

Description

Reported on GitHub: https://github.com/ckeditor/ckeditor-dev/commit/321ddbbe74a

We use eval in env.js and a function constructor in templates. Worth checking if we're not using setTimeout or setInterval with string somewhere in older code.

Change History (2)

comment:1 Changed 6 years ago by Jakub Ś

Below is part of http://www.w3.org/TR/CSP/ spec:

If 'unsafe-eval' is not in allowed script sources:

  • Instead of evaluating their arguments, both operator eval and function eval must throw a security exception. [ECMA-262]
  • When called as a constructor, the function Function must throw a security exception. [ECMA-262]
  • When called with a first argument that is non-callable (e.g., not a function), the setTimeout function must return zero without creating a timer.
  • When called with a first argument that is non-callable (e.g., not a function), the setInterval function must return zero without creating a timer.

The term callable refers to an object whose interface has one or more callers as defined in the Web IDL specification [WEBIDL].


There is more general ticket about CSP - #8584 so this is a small duplicate of the former ticket.

comment:2 Changed 6 years ago by Jakub Ś

Resolution: duplicate
Status: newclosed

DUP of #8584.

Note: See TracTickets for help on using tickets.
© 2003 – 2019 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy