When we run automated security scan against our GWT project, one of the
main vulnerability is related to the presence of eval() functions in
the xxxx.nocache.js file
...{j=k.substring(Z,m);l=k.substring(m+$)}else{j=k;l=fb}c[j]=l}}else
if(j==xb){k=i.getAttribute(vb);if(k){try{d=*eval(k)*}catch(a){alert(yb+k+zb)}}}else
if(j==Ab){k=i.getAttribute(vb);if(k){try{e=*eval(k)*}catch(a){alert(yb+k+Bb)}}}}}__gwt_getMetaProperty=function(a){var
b=c[a];return b==null?null:b};w=d;ipmweb.__errFn=e}...
We added the CSP that blocks eval executions and the application runs
correctly, meaning that those eval() is not called at runtime.
Is there a way to get rid of those eval() functions? Is there someone who
knows in which cases those eval() gets executed?
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-web-toolkit/c55d87d6-1107-4e37-9eb0-02601954c77an%40googlegroups.com.
