Use of eval("new "+className+"()") allows XSS when JSON is unmarshalled

[rudolphi]

Imagine className could be "String();doWhatever"

Better create a function to create the instances. Split the class name at dots, then go var base=window; base=base["first"]; and so on to get the desired class. Finally use one the approaches explained here https://stackoverflow.com/questions/3362471/how-can-i-call-a-javascript-constructor-using-call-or-apply https://stackoverflow.com/questions/1606797/use-of-apply-with-new-operator-is-this-possible to securely create the instance. The good thing is you never pass any parameters (14 times in 8 files), so the fix should not be a big deal.