Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit fb4c79b

Browse filesBrowse files
fabpotfabpot
committed
bug #27584 Avoid calling eval when there is no script embedded in the toolbar (stof)
This PR was merged into the 4.1 branch. Discussion ---------- Avoid calling eval when there is no script embedded in the toolbar | Q | A | ------------- | --- | Branch? | 4.1 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #27583 | License | MIT | Doc PR | n/a #27189 changed the way embedded scripts were eval'd for the toolbar. But it also refactored the code in a way triggering `eval` all the time, even when there is no embedded script, which was reported several times as an issue with CSP. While the debug panel (showing dumps) still requires having `unsafe-eval` in the CSP header (due to embedding scripts that we eval), this PR reverts back to the behavior of Symfony 4.0 and older, where only toolbars actually embedding scripts have this CSP compat issue. Commits ------- a0f78a5 Avoid calling eval when there is no script embedded in the toolbar
2 parents 413af69 + a0f78a5 commit fb4c79b
Copy full SHA for fb4c79b

File tree

1 file changed

+5
-4
lines changed
Filter options

1 file changed

+5
-4
lines changed

‎src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/base_js.html.twig

Copy file name to clipboardExpand all lines: src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/base_js.html.twig
+5-4Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -419,9 +419,10 @@
419419
function(xhr, el) {
420420
421421
/* Evaluate in global scope scripts embedded inside the toolbar */
422-
eval.call({}, ([].slice.call(el.querySelectorAll('script')).map(function (script) {
423-
return script.firstChild.nodeValue;
424-
}).join(';\n')));
422+
var i, scripts = [].slice.call(el.querySelectorAll('script'));
423+
for (i = 0; i < scripts.length; ++i) {
424+
eval.call({}, scripts[i].firstChild.nodeValue);
425+
}
425426
426427
el.style.display = -1 !== xhr.responseText.indexOf('sf-toolbarreset') ? 'block' : 'none';
427428
@@ -440,7 +441,7 @@
440441
}
441442
442443
/* Handle toolbar-info position */
443-
var i, toolbarBlocks = [].slice.call(el.querySelectorAll('.sf-toolbar-block'));
444+
var toolbarBlocks = [].slice.call(el.querySelectorAll('.sf-toolbar-block'));
444445
for (i = 0; i < toolbarBlocks.length; ++i) {
445446
toolbarBlocks[i].onmouseover = function () {
446447
var toolbarInfo = this.querySelectorAll('.sf-toolbar-info')[0];

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.