Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

please remove eval from timeline_source_v2.3.0.zip\timeline_2.3.0\src\webapp\api\scripts\timeline.js #497

Open
GoogleCodeExporter opened this issue Aug 19, 2015 · 0 comments
Open

please remove eval from timeline_source_v2.3.0.zip\timeline_2.3.0\src\webapp\api\scripts\timeline.js #497

GoogleCodeExporter opened this issue Aug 19, 2015 · 0 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

Issue summary:
https://groups.google.com/forum/#!topic/simile-widgets/j0Fmgtcrke8

I have been a user of timeline.js for over a year now and must say I really 
impressed by it and its community.

I have query regarding the use of eval in src\webapp\api\scripts\timeline.js.

I read a lot about eval being bad and all, so was wondering can you not replace 
the use of eval in Timeline.loadJSON && Timeline._Impl.prototype.loadJSON 
method with something like this for peace of mind:

xhr.onreadystatechange = function() {
  if (xhr.readyState == 4) {
    // JSON.parse does not evaluate the attacker's scripts.
    var resp = JSON.parse(xhr.responseText);
  }
}

Source: Cross-Origin XMLHttpRequest
http://developer.chrome.com/extensions/xhr.html

Original issue reported on code.google.com by [email protected] on 8 Aug 2013 at 9:01

Attachments:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter