Skip to content

Commit

Permalink
ELEMENTS-1759: Remove usage of unsafe-eval from CSP
Browse files Browse the repository at this point in the history
  • Loading branch information
alokhyland committed Oct 30, 2024
1 parent da93f91 commit 02beb92
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 25 deletions.
41 changes: 18 additions & 23 deletions ui/nuxeo-filter.js
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ limitations under the License.
import '@polymer/polymer/polymer-legacy.js';

import '@nuxeo/nuxeo-elements/nuxeo-element.js';
import { config } from '@nuxeo/nuxeo-elements';
import { Debouncer } from '@polymer/polymer/lib/utils/debounce.js';
import { microTask } from '@polymer/polymer/lib/utils/async.js';
import { enqueueDebouncer } from '@polymer/polymer/lib/utils/flush.js';
Expand Down Expand Up @@ -185,29 +184,25 @@ import Interpreter from './js-interpreter/interpreter.js';
let res = false;

try {
if (!config.get('expressions.eval', true)) {
const js = new Interpreter(expression, (interpreter, scope) => {
// set scope
interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior));
Object.entries({ document, user }).forEach(([k, obj]) => {
const v = {};
// filter out private properties
Object.getOwnPropertyNames(obj)
.filter((p) => !p.startsWith('_'))
.forEach((p) => {
v[p] = obj[p];
});
interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v));
});
// XXX: 'this' in the scope of native functions is the interpreter instance
Object.assign(interpreter, FiltersBehavior);
const js = new Interpreter(expression, (interpreter, scope) => {
// set scope
interpreter.setProperty(scope, 'this', interpreter.nativeToPseudo(FiltersBehavior));
Object.entries({ document, user }).forEach(([k, obj]) => {
const v = {};
// filter out private properties
Object.getOwnPropertyNames(obj)
.filter((p) => !p.startsWith('_'))
.forEach((p) => {
v[p] = obj[p];
});
interpreter.setProperty(scope, k, interpreter.nativeToPseudo(v));
});
js.run();
res = js.value;
} else {
const fn = new Function(['document', 'user'], `return ${expression};`);
res = fn.apply(this, [document, user]);
}
// XXX: 'this' in the scope of native functions is the interpreter instance
Object.assign(interpreter, FiltersBehavior);
});
js.run();
res = js.value;

return res;
} catch (err) {
console.error(`${err} in <nuxeo-filter> expression "${expression}"`);
Expand Down
4 changes: 2 additions & 2 deletions ui/viewers/pdfjs/web/viewer.html
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,11 @@

<!-- This snippet is used in production (included from viewer.html) -->
<link rel="resource" type="application/l10n" href="locale/locale.json">
<script src="../build/pdf.mjs" type="module"></script>
<script src="../build/pdf.mjs" type="module" nonce="dummy"></script>

<link rel="stylesheet" href="viewer.css">

<script src="viewer.mjs" type="module"></script>
<script src="viewer.mjs" type="module" nonce="dummy"></script>
</head>

<body tabindex="1">
Expand Down

0 comments on commit 02beb92

Please sign in to comment.