diff --git a/storybook/src/elements/nuxeo-actions-menu/nuxeo-actions-menu.stories.js b/storybook/src/elements/nuxeo-actions-menu/nuxeo-actions-menu.stories.js
index 1d4e2394c..496b4eb3b 100644
--- a/storybook/src/elements/nuxeo-actions-menu/nuxeo-actions-menu.stories.js
+++ b/storybook/src/elements/nuxeo-actions-menu/nuxeo-actions-menu.stories.js
@@ -28,7 +28,7 @@ storiesOf('UI/nuxeo-actions-menu', module).add('Default', () => {
${list.map(
(i) => html`
-
+
`,
)}
diff --git a/ui/import-href.js b/ui/import-href.js
index d2c3f32a1..b95206343 100644
--- a/ui/import-href.js
+++ b/ui/import-href.js
@@ -104,12 +104,14 @@ export const importHref = function(href, onload, onerror, optAsync) {
*/
export const importHTML = (html) => {
const tmpl = document.createElement('template');
+ const nuxeoNonceValue = Nuxeo && Nuxeo.UI && Nuxeo.UI.config && Nuxeo.UI.config.nonce || ''
tmpl.innerHTML = html;
[...tmpl.content.children].forEach((el) => {
if (el.tagName === 'SCRIPT' && !el.src) {
const script = document.createElement('script');
[...el.attributes].forEach((attr) => script.setAttribute(attr.name, attr.value));
script.setAttribute('src', `data:text/javascript;charset=utf-8,${encodeURIComponent(el.textContent)}`);
+ script.setAttribute("nonce", nuxeoNonceValue);
el = script;
}
document.head.appendChild(el);
diff --git a/ui/nuxeo-aggregation/nuxeo-checkbox-aggregation.js b/ui/nuxeo-aggregation/nuxeo-checkbox-aggregation.js
index 413ec35cf..221a197d2 100644
--- a/ui/nuxeo-aggregation/nuxeo-checkbox-aggregation.js
+++ b/ui/nuxeo-aggregation/nuxeo-checkbox-aggregation.js
@@ -187,7 +187,9 @@ import { AggregationBehavior } from './nuxeo-aggregation-behavior.js';
- [[_computeShowMoreLabel(_showAll, i18n)]]
+
+ [[_computeShowMoreLabel(_showAll, i18n)]]
+
@@ -280,7 +282,8 @@ import { AggregationBehavior } from './nuxeo-aggregation-behavior.js';
return `hardware:keyboard-arrow-${opened ? 'up' : 'down'}`;
}
- _toggleShow() {
+ _toggleShow(e) {
+ e.preventDefault();
this._set_showAll(!this._showAll);
}
diff --git a/ui/nuxeo-filter.js b/ui/nuxeo-filter.js
index 642b814f5..90976c3d0 100644
--- a/ui/nuxeo-filter.js
+++ b/ui/nuxeo-filter.js
@@ -18,7 +18,6 @@ limitations under the License.
import '@polymer/polymer/polymer-legacy.js';
import '@nuxeo/nuxeo-elements/nuxeo-element.js';
-import { config } from '@nuxeo/nuxeo-elements';
import { Debouncer } from '@polymer/polymer/lib/utils/debounce.js';
import { microTask } from '@polymer/polymer/lib/utils/async.js';
import { enqueueDebouncer } from '@polymer/polymer/lib/utils/flush.js';
@@ -185,29 +184,25 @@ import Interpreter from './js-interpreter/interpreter.js';
let res = false;
try {
- if (!config.get('expressions.eval', true)) {
- const js = new Interpreter(expression, (interpreter, scope) => {
- // set scope
- interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior));
- Object.entries({ document, user }).forEach(([k, obj]) => {
- const v = {};
- // filter out private properties
- Object.getOwnPropertyNames(obj)
- .filter((p) => !p.startsWith('_'))
- .forEach((p) => {
- v[p] = obj[p];
- });
- interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v));
- });
- // XXX: 'this' in the scope of native functions is the interpreter instance
- Object.assign(interpreter, FiltersBehavior);
+ const js = new Interpreter(expression, (interpreter, scope) => {
+ // set scope
+ interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior));
+ Object.entries({ document, user }).forEach(([k, obj]) => {
+ const v = {};
+ // filter out private properties
+ Object.getOwnPropertyNames(obj)
+ .filter((p) => !p.startsWith('_'))
+ .forEach((p) => {
+ v[p] = obj[p];
+ });
+ interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v));
});
- js.run();
- res = js.value;
- } else {
- const fn = new Function(['document', 'user'], `return ${expression};`);
- res = fn.apply(this, [document, user]);
- }
+ // XXX: 'this' in the scope of native functions is the interpreter instance
+ Object.assign(interpreter, FiltersBehavior);
+ });
+ js.run();
+ res = js.value;
+
return res;
} catch (err) {
console.error(`${err} in expression "${expression}"`);