Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 497 by
ddas...@gmail.com: please remove eval from
timeline_source_v2.3.0.zip\timeline_2.3.0\src\webapp\api\scripts\timeline.js
http://code.google.com/p/simile-widgets/issues/detail?id=497
Issue summary:
https://groups.google.com/forum/#!topic/simile-widgets/j0Fmgtcrke8
I have been a user of timeline.js for over a year now and must say I really
impressed by it and its community.
I have query regarding the use of eval in
src\webapp\api\scripts\timeline.js.
I read a lot about eval being bad and all, so was wondering can you not
replace the use of eval in Timeline.loadJSON &&
Timeline._Impl.prototype.loadJSON method with something like this for peace
of mind:
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
// JSON.parse does not evaluate the attacker's scripts.
var resp = JSON.parse(xhr.responseText);
}
}
Source: Cross-Origin XMLHttpRequest
http://developer.chrome.com/extensions/xhr.html
Attachments:
timeline.js 21.3 KB
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings