I also use eval in my GWT application. What is an eval alternative in GWT?
On Tuesday, June 4, 2024 at 10:12:12 PM UTC+8 Colin Alworth wrote:
> Consider compiling your application with style=PRETTY or DETAILED so you
> can see more detail on the name of methods and the classes that surround
> the code you have questions about, it can make it easier to hunt these down.
>
> I pretty-printed the code snippet you shared, which results in this:
> {
> j = k.substring(Z, m);
> l = k.substring(m + $)
> } else {
> j = k;
> l = fb
> }
> c[j] = l
> }
> }
> else if (j == xb) {
> k = i.getAttribute(vb);
> if (k) {
> try {
> d = eval(k)
> } catch (a) {
> alert(yb + k + zb)
> }
> }
> } else if (j == Ab) {
> k = i.getAttribute(vb);
> if (k) {
> try {
> e = eval(k)
> } catch (a) {
> alert(yb + k + Bb)
> }
> }
> }
> }
> }
> __gwt_getMetaProperty = function(a) {
> var b = c[a];
> return b == null ? null : b
> };
>
> The catch blocks have an alert in them, not something we typically see in
> GWT. It turns out this is part of the default linker, what looks like an
> old workaround to support extra meta tags contributing error handling code.
>
> https://github.com/gwtproject/gwt/blob/6cf9146a8c53743c99e48b1d1db42a2e2010e1d7/dev/core/src/com/google/gwt/core/ext/linker/impl/processMetas.js
> if (eq >= 0) {
> name = content.substring(0, eq);
> value = content.substring(eq + 1);
> } else {
> name = content;
> value = '';
> }
> metaProps[name] = value;
> }
> } else if (name == 'gwt:onPropertyErrorFn') {
> content = meta.getAttribute('content');
> if (content) {
> try {
> propertyErrorFunc = eval(content);
> } catch (e) {
> alert('Bad handler \"' + content +
> '\" for \"gwt:onPropertyErrorFn\"');
> }
> }
> } else if (name == 'gwt:onLoadErrorFn') {
> content = meta.getAttribute('content');
> if (content) {
> try {
> onLoadErrorFunc = eval(content);
> } catch (e) {
> alert('Bad handler \"' + content + '\" for
> \"gwt:onLoadErrorFn\"');
> }
> }
> }
> }
> }
>
>
> // Set some of the variables in the main script
> __gwt_getMetaProperty = function(name) {
> var value = metaProps[name];
> return (value == null) ? null : value;
> }
>
> This is used by most of the built-in linkers - there is an alternative
> file, processMetasNull.js, which could be used to remove these entirely. To
> use that, extend your current linker (presumably CrossSiteIframeLinker) and
> override getJsProcessMetas to return
> "com/google/gwt/core/ext/linker/impl/processMetasNull.js".
>
> I've filed https://github.com/gwtproject/gwt/issues/9967 to explore
> phasing these out or making them easier to disable.
>
> On Tuesday, June 4, 2024 at 4:54:38 AM UTC-5 [email protected] wrote:
>
>> When we run automated security scan against our GWT project, one of the
>> main vulnerability is related to the presence of eval() functions in
>> the xxxx.nocache.js file
>>
>> ...{j=k.substring(Z,m);l=k.substring(m+$)}else{j=k;l=fb}c[j]=l}}else
>> if(j==xb){k=i.getAttribute(vb);if(k){try{d=*eval(k)*}catch(a){alert(yb+k+zb)}}}else
>>
>> if(j==Ab){k=i.getAttribute(vb);if(k){try{e=*eval(k)*}catch(a){alert(yb+k+Bb)}}}}}__gwt_getMetaProperty=function(a){var
>>
>> b=c[a];return b==null?null:b};w=d;ipmweb.__errFn=e}...
>>
>> We added the CSP that blocks eval executions and the application runs
>> correctly, meaning that those eval() is not called at runtime.
>>
>> Is there a way to get rid of those eval() functions? Is there someone who
>> knows in which cases those eval() gets executed?
>>
>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-web-toolkit/dd2b2bce-fa6b-446b-95ec-cd9cf985a67en%40googlegroups.com.
