Use of "new Function" violates content security policy

[jhirshman]

This package's use of "new Function" causes the code in this library to violate our content security policy. This could be avoided by spelling out the anonymous function instead because never is it the case that the function is not actually dynamically generated.

For example, var a = new Function('return 3;'); can be replaced with var a = (function anonymous() { return 3; });

Additionally, there are "evals" in the code that could probably be removed.

[partridgejiang]

Thanks for the remind. Now the calls of new Function() has been modified. Some eval calls are also changed. Please check the latest dist files in the repo.

[jhirshman]

Thank you for making that change. I will pull down and work with the latest version.

[NicolasCARPi]

Hello,

I'm currently trying to see if this project could be a good addition to eLabFTW (an ELN).

The first hurdle (after adding a file-loader for .png and .cur to webpack), is the CSP policy, which is strict on eLab.

The last release was quite a long time ago. Do you think it would be possible to make a new release?

Using the latest from master seems to fix some issues but not all (there are still some evil eval() out there).

[partridgejiang]

Yes, there are several other places of eval() in codes. I am on a trip currently and should inspect them later, :).

[partridgejiang]

@NicolasCARPi, sorry for the delay but now all the eval() calls has been removed from the library. Please check the latest dist files.

[NicolasCARPi]

Thanks @partridgejiang. I'll give it another try!