Skip to content
This repository has been archived by the owner on Sep 25, 2021. It is now read-only.

Avoid using new Function() #47

Open
fmonts opened this issue Nov 29, 2019 · 6 comments
Open

Avoid using new Function() #47

fmonts opened this issue Nov 29, 2019 · 6 comments

Comments

@fmonts
Copy link

fmonts commented Nov 29, 2019

The new Function(...), user here: https://github.com/blueimp/JavaScript-Templates/blob/master/js/tmpl.js#L24

is a bad practice, and disabled by default if using Content Security Policy (see here)

Can this be replaced? Otherwise who uses CSP must add unsafe-eval to use this library, allowing potential secutiry vulnerabilities.
@blueimp
Copy link
Owner

blueimp commented Dec 1, 2019

For any production use, my recommendation is to make use of compiled templates.
Using those compiled template functions only requires a minimal runtime that does not make use of new Function or any other unsafe-eval construct.

@oliverbob
Copy link

Can you provide an example on how to use the "compiled template" to produce javascript and what the output looks like?

Trying your example only showed me this:

basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")

case `uname` in
    *CYGWIN*|*MINGW*|*MSYS*) basedir=`cygpath -w "$basedir"`;;
esac

if [ -x "$basedir/node" ]; then
  "$basedir/node"  "$basedir/node_modules/blueimp-tmpl/js/compile.js" "$@"
  ret=$?
else 
  node  "$basedir/node_modules/blueimp-tmpl/js/compile.js" "$@"
  ret=$?
fi
exit $ret

It opened up Atom and showed that Greek to me.

Or,

c:\Users\bob\node\tmpl>tmpl.js index.html > tmpl.js
The process cannot access the file because it is being used by another process.

@blueimp
Copy link
Owner

blueimp commented Apr 12, 2020

Hi @oliverbob,
that code snippet you posted does not look like anything from this project, so it's likely an artifact from your environment.

Have you followed the guide here?
https://github.com/blueimp/JavaScript-Templates#compiled-templates

@oliverbob
Copy link

Hi Sebastian,

It is the result of following the tutorial/documentation you have provided. I followed the guide step by step and installed the template like:

npm install blueimp-tmpl -g

But may be this is an issue on node. I'm using the latest version on windows. Can you provide a concrete example of how to use the tmpl.js compiler in the wiki?

Thank you very much,

Oliver

@blueimp
Copy link
Owner

blueimp commented Apr 13, 2020

Sorry I don't provide support to run this on Windows.
If you're on Windows 10, I recommend you to run it inside of Windows Subsystem for Linux.

However if you want to figure out how to make this work under Windows and would like to write a guide with step-by-step instructions, I'd gladly add a link to the Wiki.

@oliverbob
Copy link

Ok, I will try this on puppy linux.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blueimp @fmonts @oliverbob