From c2e94ad7210007be4cb5f647e3c30c21c9494184 Mon Sep 17 00:00:00 2001 From: alokhyland Date: Tue, 8 Oct 2024 15:09:00 +0530 Subject: [PATCH] ELEMENTS-1759: Remove usage of unsafe-eval from CSP --- ui/nuxeo-filter.js | 41 ++++++++++++++------------------ ui/viewers/pdfjs/web/viewer.html | 4 ++-- 2 files changed, 20 insertions(+), 25 deletions(-) diff --git a/ui/nuxeo-filter.js b/ui/nuxeo-filter.js index 642b814f5..90976c3d0 100644 --- a/ui/nuxeo-filter.js +++ b/ui/nuxeo-filter.js @@ -18,7 +18,6 @@ limitations under the License. import '@polymer/polymer/polymer-legacy.js'; import '@nuxeo/nuxeo-elements/nuxeo-element.js'; -import { config } from '@nuxeo/nuxeo-elements'; import { Debouncer } from '@polymer/polymer/lib/utils/debounce.js'; import { microTask } from '@polymer/polymer/lib/utils/async.js'; import { enqueueDebouncer } from '@polymer/polymer/lib/utils/flush.js'; @@ -185,29 +184,25 @@ import Interpreter from './js-interpreter/interpreter.js'; let res = false; try { - if (!config.get('expressions.eval', true)) { - const js = new Interpreter(expression, (interpreter, scope) => { - // set scope - interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior)); - Object.entries({ document, user }).forEach(([k, obj]) => { - const v = {}; - // filter out private properties - Object.getOwnPropertyNames(obj) - .filter((p) => !p.startsWith('_')) - .forEach((p) => { - v[p] = obj[p]; - }); - interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v)); - }); - // XXX: 'this' in the scope of native functions is the interpreter instance - Object.assign(interpreter, FiltersBehavior); + const js = new Interpreter(expression, (interpreter, scope) => { + // set scope + interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior)); + Object.entries({ document, user }).forEach(([k, obj]) => { + const v = {}; + // filter out private properties + Object.getOwnPropertyNames(obj) + .filter((p) => !p.startsWith('_')) + .forEach((p) => { + v[p] = obj[p]; + }); + interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v)); }); - js.run(); - res = js.value; - } else { - const fn = new Function(['document', 'user'], `return ${expression};`); - res = fn.apply(this, [document, user]); - } + // XXX: 'this' in the scope of native functions is the interpreter instance + Object.assign(interpreter, FiltersBehavior); + }); + js.run(); + res = js.value; + return res; } catch (err) { console.error(`${err} in expression "${expression}"`); diff --git a/ui/viewers/pdfjs/web/viewer.html b/ui/viewers/pdfjs/web/viewer.html index e571ee269..fb5343904 100644 --- a/ui/viewers/pdfjs/web/viewer.html +++ b/ui/viewers/pdfjs/web/viewer.html @@ -29,11 +29,11 @@ - + - +