JavaScript-Templates icon indicating copy to clipboard operation
JavaScript-Templates copied to clipboard

Published 20 hours ago verified publisher icon blueimp

Avoid using new Function()

Open fmonts opened this issue 5 years ago • 6 comments

The new Function(...), user here: https://github.com/blueimp/JavaScript-Templates/blob/master/js/tmpl.js#L24

is a bad practice, and disabled by default if using Content Security Policy (see here)

Can this be replaced? Otherwise who uses CSP must add unsafe-eval to use this library, allowing potential secutiry vulnerabilities.

fmonts avatar Nov 29 '19 17:11 fmonts

For any production use, my recommendation is to make use of compiled templates. Using those compiled template functions only requires a minimal runtime that does not make use of new Function or any other unsafe-eval construct.

blueimp avatar Dec 01 '19 04:12 blueimp

Can you provide an example on how to use the "compiled template" to produce javascript and what the output looks like?

Trying your example only showed me this:

basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")

case `uname` in
    *CYGWIN*|*MINGW*|*MSYS*) basedir=`cygpath -w "$basedir"`;;
esac

if [ -x "$basedir/node" ]; then
  "$basedir/node"  "$basedir/node_modules/blueimp-tmpl/js/compile.js" "$@"
  ret=$?
else 
  node  "$basedir/node_modules/blueimp-tmpl/js/compile.js" "$@"
  ret=$?
fi
exit $ret

It opened up Atom and showed that Greek to me.

Or,

c:\Users\bob\node\tmpl>tmpl.js index.html > tmpl.js The process cannot access the file because it is being used by another process.

oliverbob avatar Apr 12 '20 05:04 oliverbob

Hi @oliverbob, that code snippet you posted does not look like anything from this project, so it's likely an artifact from your environment.

Have you followed the guide here? https://github.com/blueimp/JavaScript-Templates#compiled-templates

blueimp avatar Apr 12 '20 08:04 blueimp

Hi Sebastian,

It is the result of following the tutorial/documentation you have provided. I followed the guide step by step and installed the template like:

npm install blueimp-tmpl -g

But may be this is an issue on node. I'm using the latest version on windows. Can you provide a concrete example of how to use the tmpl.js compiler in the wiki?

Thank you very much,

Oliver

oliverbob avatar Apr 13 '20 11:04 oliverbob

Sorry I don't provide support to run this on Windows. If you're on Windows 10, I recommend you to run it inside of Windows Subsystem for Linux.

However if you want to figure out how to make this work under Windows and would like to write a guide with step-by-step instructions, I'd gladly add a link to the Wiki.

blueimp avatar Apr 13 '20 13:04 blueimp

Ok, I will try this on puppy linux.

oliverbob avatar Apr 24 '20 10:04 oliverbob