Replacing eval() calls in syscall/js #1162
Conversation
|
Thank you for the contribution! |
| getValueType = js.Global.Call("eval", `(function(x) { | ||
| id = js.Global.Call("Function", "x", "return x") | ||
| instanceOf = js.Global.Call("Function", "x", "y", "return x instanceof y") | ||
| getValueType = js.Global.Call("Function", "x", ` |
There was a problem hiding this comment.
@hajimehoshi I'm wondering if you have any thoughts on this one? It seems to me like this should be okay but would definitely like a second opinion. The Function constructor is the preferred alternative to eval() apparently.
Fortunately, there's a very good alternative to eval(): using the Function constructor.
何卒よろしくお願い申し上げます🙇♂️
|
You bet @nevkontakte thanks for the quick merge! |
|
For posterity, even though this did make the JS follow MDN best practices, it still cannot run in a CSP context without |
|
That makes sense, since |
|
Thanks for the info @nevkontakte , is this what you're describing? |
Minor tweak to
syscall/jsto follow a security best practice as advised by MDN:https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!
In addition to the security benefits, this means that gopherjs can now be used in environments with a CSP that doesn't allow(see comment below)scritp-src: 'unsafe-eval'.