unsafe eval function

[A N]

Hi,

A developer questioned the low rating for unsafe eval function. In his words

"This notice is claiming that the file in question uses the unsafe “eval” function. If that were actually true, I would rate it as a higher-priority than “low”. However, it’s not even a little bit true."

The only actual appearance of “eval” anywhere in that file is inside a string, and not in a function call at all:

{name:"eval conditions"}

I'm not a developer, so, reaching out to find the best course of action forward.

Thanks,

AN

[Simon Bennetts]

Hiya,

The passive scan rule does fairly basic checking, is does not perform any significant static analysis on the JavaScript.

Its not an alert I would pass on to a developer, rather an alert that a pentester might want to drill down into.

I'm hoping will be able to add passive scan policies, similar to the active scan ones https://www.zaproxy.org/docs/desktop/addons/scan-policies/

Cheers,

Simon