Remove eval function calls
Hi everyone,
I have an "issue" I would like to report. While it is not really a bug it is one in terms of cleanliness of code.
We have strict policies at our company concerning the usages of "eval()" and similar methods/prototypes.
We would very much like to use your product/library in our products however we cannot do so as in your code there are usages of things like "new Function()". Is there anything on your roadmap to remove such constructs?
Change History (6)
| Keywords: |
eval functions removed
|
| Status: |
new →
confirmed
|
| Version: |
4.4.7 →
3.0
|
| Milestone: |
→ CKEditor 4.7.0
|
| Priority: |
Normal →
Must have (possibly next milestone)
|
| Owner: |
set to Tomasz Jakut
|
| Status: |
confirmed →
assigned
|
| Status: |
assigned →
review
|
| Resolution: |
→ fixed
|
| Status: |
review →
closed
|
| Summary: |
Usage of eval prototypes →
Remove eval function calls
|
AFAICS "Function()" is used in a single place only - in core/template.js and we do not use
evalat all.We don't have any plans regarding changing this code. If you would like to handle this ticket please read http://docs.ckeditor.com/#!/guide/dev_contributing_code
PS. Info for others – I confirm this ticket because any kind of code evaluation is considered insecure. The template.js case is relatively very safe, but in environments which disallow using function constructor at all this is a problem.