I will try to remember to post a followup here. But I usually forget such things.
On Mon, Sep 11, 2017 at 11:51 PM, Sacha <sacha.schm...@gmail.com> wrote: > Great to know that you are working on it, thanks for that. Could you > please update this thread when you release a new version without eval ? > > Many thanks! > > On Tuesday, September 12, 2017 at 1:04:14 PM UTC+10, Daniel LaLiberte > wrote: >> >> I have changed the loader to no longer require eval for dynamic loading. >> This is available for the 'current' version (v45.2) as well as v45 and >> v45.1. That was the most complex and real requirement for eval, so I am >> glad we are done with that. >> >> But I just did a search through the code for other uses of eval, and >> apparently there are still a few, though mostly incidental. However, it >> appears we do use eval now even when we could (and should) be using >> JSON.parse. Now that I see that, I'll make amends. I don't anticipate >> there should be any serious obstacles, but I've been surprised before. >> >> On Mon, Sep 11, 2017 at 9:37 PM, Sacha <sacha....@gmail.com> wrote: >> >>> Hi Daniel, >>> >>> Has this been resolved now ? If not, is there a work around this eval() >>> function ? >>> >>> For security purposes, we have to remove `unsafe-eval` from the CSP and >>> this now breaks our charts... >>> >>> Thank you. >>> >>> On Wednesday, June 10, 2015 at 11:05:01 PM UTC+10, Daniel LaLiberte >>> wrote: >>>> >>>> Hi Anthony, >>>> >>>> As noted in David Konrad's answer to this StackOverflow question >>>> <http://stackoverflow.com/questions/30744615/google-charts-unsafe-eval>, >>>> the remaining use of eval() in Google Charts code involves browser >>>> compatibility. We are now using JSON.parse() in most situations, if it is >>>> available. We also have to resolve at least one more use of eval, when >>>> processing the response to an XHR request for data from a spreadsheet. >>>> The issue here involves calling the JavaScript Date() constructor to create >>>> date values, but this use can be entirely replaced by our Date string >>>> notation. >>>> >>>> But there is one other use of eval that will be more difficult to >>>> resolve. When more than one google.load() call is made to load additional >>>> code, this must be done in the context of the originally loaded code, and >>>> currently, this must be done with an eval(). A simple alternative is to >>>> just not support additional calls to google.load(). >>>> >>>> On Tue, Jun 9, 2015 at 7:29 PM, Anthony D'Andrea <anth...@gmail.com> >>>> wrote: >>>> >>>>> Using Google Charts on my site and I removed >>>>> script-src 'unsafe-eval' >>>>> from my CSP headers. Now the chart fails to render. It now displays an >>>>> invalid JSON error. It would be nice if google charts didn't require >>>>> unsafe-eval so I can be more secure. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Google Visualization API" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to google-visualization-api+unsubscr...@googlegroups.com. >>>>> To post to this group, send email to google-visua...@googlegroups.com. >>>>> Visit this group at http://groups.google.com/group >>>>> /google-visualization-api. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >>>> >>>> -- >>>> Daniel LaLiberte >>>> <https://plus.google.com/100631381223468223275?prsrc=2> - 978-394-1058 >>>> dlali...@google.com 5CC, Cambridge MA >>>> daniel.l...@gmail.com 9 Juniper Ridge Road, Acton MA >>>> <https://maps.google.com/?q=9+Juniper+Ridge+Road,+Acton+MA&entry=gmail&source=g> >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Google Visualization API" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to google-visualization-api+unsubscr...@googlegroups.com. >>> To post to this group, send email to google-visua...@googlegroups.com. >>> Visit this group at https://groups.google.com/grou >>> p/google-visualization-api. >>> To view this discussion on the web visit https://groups.google.com/d/ms >>> gid/google-visualization-api/892c812b-143b-4701-8168-8c3c41 >>> 67a138%40googlegroups.com >>> <https://groups.google.com/d/msgid/google-visualization-api/892c812b-143b-4701-8168-8c3c4167a138%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Daniel LaLiberte <https://plus.google.com/100631381223468223275?prsrc=2> >> dlali...@google.com 5CC, Cambridge MA >> > -- > You received this message because you are subscribed to the Google Groups > "Google Visualization API" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to google-visualization-api+unsubscr...@googlegroups.com. > To post to this group, send email to google-visualization-api@ > googlegroups.com. > Visit this group at https://groups.google.com/ > group/google-visualization-api. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/google-visualization-api/6554c656-f744-4959-a279- > 0b9ad3760718%40googlegroups.com > <https://groups.google.com/d/msgid/google-visualization-api/6554c656-f744-4959-a279-0b9ad3760718%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Daniel LaLiberte <https://plus.google.com/100631381223468223275?prsrc=2> dlalibe...@google.com <dlalibe...@google.com> 5CC, Cambridge MA -- You received this message because you are subscribed to the Google Groups "Google Visualization API" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-visualization-api+unsubscr...@googlegroups.com. To post to this group, send email to google-visualization-api@googlegroups.com. Visit this group at https://groups.google.com/group/google-visualization-api. To view this discussion on the web visit https://groups.google.com/d/msgid/google-visualization-api/CAOtcSJNCrURv1uS3hckVb%3DfTmqGJsFHzGyu_N0Q7rC2qD7YUBA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
