[#3840] - Removed unsafe eval() from compressed treeselectmenu script
- Closed
- 13 Jan 2015
- Medium
- Build: staging
- # 3840
- Diff
- J0WI:staging
- Success The Travis CI build passed Details
User tests: Successful: Unsuccessful:
referring to issue #3837:
I'm using CSP on my server. Sadly, I have to allow unsafe-eval because of Joomla. There are more secure alternatives to eval():
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#Don.27t_use_eval.21
See also http://www.w3.org/TR/CSP/#script-src
Exactly.
It's just another form of compression, but it's highly recommend to not use the eval() function if not really necessary. So now there are a few bytes more, but without making use of eval().
Ah. So the eval may have been applied by the compressing tool? Or was that manually added there?
yes, can be by the compressing tool, but I not know a tool that use such trick 
This one uses exactly this function if you enable Base62 encode:
http://dean.edwards.name/packer/
brianteeman
- | Status | New | ⇒ | Pending |
nicksavov
- | Labels |
Removed:
?
|
||
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-01-13 19:56:51 |
Can you apply this change also to the file
treeselectmenu.jquery.js. It contains the uncompressed code for the same thing.