Issue 497 in simile-widgets: please remove eval from timeline_source_v2.3.0.zip\timeline_2.3.0\src\webapp\api\scripts\timeline.js
22 views
Skip to first unread message
codesite...@google.com
Aug 8, 2013, 5:01:17 PM8/8/13
to simile-wi...@googlegroups.com
Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 497 by ddas...@gmail.com: please remove eval from
timeline_source_v2.3.0.zip\timeline_2.3.0\src\webapp\api\scripts\timeline.js
http://code.google.com/p/simile-widgets/issues/detail?id=497
Issue summary:
https://groups.google.com/forum/#!topic/simile-widgets/j0Fmgtcrke8
I have been a user of timeline.js for over a year now and must say I really
impressed by it and its community.
I have query regarding the use of eval in
src\webapp\api\scripts\timeline.js.
I read a lot about eval being bad and all, so was wondering can you not
replace the use of eval in Timeline.loadJSON &&
Timeline._Impl.prototype.loadJSON method with something like this for peace
of mind:
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
// JSON.parse does not evaluate the attacker's scripts.
var resp = JSON.parse(xhr.responseText);
}
}
Source: Cross-Origin XMLHttpRequest
http://developer.chrome.com/extensions/xhr.html
Attachments:
timeline.js 21.3 KB
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 497 by ddas...@gmail.com: please remove eval from
timeline_source_v2.3.0.zip\timeline_2.3.0\src\webapp\api\scripts\timeline.js
http://code.google.com/p/simile-widgets/issues/detail?id=497
Issue summary:
https://groups.google.com/forum/#!topic/simile-widgets/j0Fmgtcrke8
I have been a user of timeline.js for over a year now and must say I really
impressed by it and its community.
I have query regarding the use of eval in
src\webapp\api\scripts\timeline.js.
I read a lot about eval being bad and all, so was wondering can you not
replace the use of eval in Timeline.loadJSON &&
Timeline._Impl.prototype.loadJSON method with something like this for peace
of mind:
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
// JSON.parse does not evaluate the attacker's scripts.
var resp = JSON.parse(xhr.responseText);
}
}
Source: Cross-Origin XMLHttpRequest
http://developer.chrome.com/extensions/xhr.html
Attachments:
timeline.js 21.3 KB
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Reply all
Reply to author
Forward
0 new messages