PapaParse
PapaParse copied to clipboard
Fix transformHeader can't work with worker (#623) (#761)
When worker set to true, convert transformHeader function to string, so the config could be cloned to worker and convert back in worker thread by eval
.
So, when using Content Security Policy, this workaround will still fail, consider to use vkThread instead.
I'm a little bit worried about the eval function as string specially as anyone can manipulate the string definition and then inject malicious code on the worker.
This raises a BIG WARNING on my mind.
Can we avoid using eval?
I'm a little bit worried about the eval function as string specially as anyone can manipulate the string definition and then inject malicious code on the worker.
This raises a BIG WARNING on my mind.
Can we avoid using eval?
Yes, there are potential risks. But the transformHeader
usually doesn't come from dynamic user input, and the eval is running in the worker, so only global data and codes could be executed. Maybe a big notice in the document is needed .
And, as I mentioned, to totally avoid eval
, consider using vkThread(https://github.com/vkiryukhin/vkthread), but I think it's a bit heavy for this problem.
here's the way to do it without eval
. Also, there are similar issues with all the rest config functions