David can you clarify how you are using eval, and what it is that makes you
want to stop specifically?
Using CSP is entirely opt-in (though likely a good idea), but there is
nothing about GWT that is going to take away the ability to use eval.
On Tuesday, June 4, 2024 at 11:59:58 PM UTC-5 David wrote:
> I also use eval in my GWT application. What is an eval alternative in GWT?
>
>
> On Tuesday, June 4, 2024 at 10:12:12 PM UTC+8 Colin Alworth wrote:
>
>> Consider compiling your application with style=PRETTY or DETAILED so you
>> can see more detail on the name of methods and the classes that surround
>> the code you have questions about, it can make it easier to hunt these down.
>>
>> I pretty-printed the code snippet you shared, which results in this:
>> {
>> j = k.substring(Z, m);
>> l = k.substring(m + $)
>> } else {
>> j = k;
>> l = fb
>> }
>> c[j] = l
>> }
>> }
>> else if (j == xb) {
>> k = i.getAttribute(vb);
>> if (k) {
>> try {
>> d = eval(k)
>> } catch (a) {
>> alert(yb + k + zb)
>> }
>> }
>> } else if (j == Ab) {
>> k = i.getAttribute(vb);
>> if (k) {
>> try {
>> e = eval(k)
>> } catch (a) {
>> alert(yb + k + Bb)
>> }
>> }
>> }
>> }
>> }
>> __gwt_getMetaProperty = function(a) {
>> var b = c[a];
>> return b == null ? null : b
>> };
>>
>> The catch blocks have an alert in them, not something we typically see in
>> GWT. It turns out this is part of the default linker, what looks like an
>> old workaround to support extra meta tags contributing error handling code.
>>
>> https://github.com/gwtproject/gwt/blob/6cf9146a8c53743c99e48b1d1db42a2e2010e1d7/dev/core/src/com/google/gwt/core/ext/linker/impl/processMetas.js
>> if (eq >= 0) {
>> name = content.substring(0, eq);
>> value = content.substring(eq + 1);
>> } else {
>> name = content;
>> value = '';
>> }
>> metaProps[name] = value;
>> }
>> } else if (name == 'gwt:onPropertyErrorFn') {
>> content = meta.getAttribute('content');
>> if (content) {
>> try {
>> propertyErrorFunc = eval(content);
>> } catch (e) {
>> alert('Bad handler \"' + content +
>> '\" for \"gwt:onPropertyErrorFn\"');
>> }
>> }
>> } else if (name == 'gwt:onLoadErrorFn') {
>> content = meta.getAttribute('content');
>> if (content) {
>> try {
>> onLoadErrorFunc = eval(content);
>> } catch (e) {
>> alert('Bad handler \"' + content + '\" for
>> \"gwt:onLoadErrorFn\"');
>> }
>> }
>> }
>> }
>> }
>>
>>
>> // Set some of the variables in the main script
>> __gwt_getMetaProperty = function(name) {
>> var value = metaProps[name];
>> return (value == null) ? null : value;
>> }
>>
>> This is used by most of the built-in linkers - there is an alternative
>> file, processMetasNull.js, which could be used to remove these entirely. To
>> use that, extend your current linker (presumably CrossSiteIframeLinker) and
>> override getJsProcessMetas to return
>> "com/google/gwt/core/ext/linker/impl/processMetasNull.js".
>>
>> I've filed https://github.com/gwtproject/gwt/issues/9967 to explore
>> phasing these out or making them easier to disable.
>>
>> On Tuesday, June 4, 2024 at 4:54:38 AM UTC-5 [email protected] wrote:
>>
>>> When we run automated security scan against our GWT project, one of the
>>> main vulnerability is related to the presence of eval() functions in
>>> the xxxx.nocache.js file
>>>
>>> ...{j=k.substring(Z,m);l=k.substring(m+$)}else{j=k;l=fb}c[j]=l}}else
>>> if(j==xb){k=i.getAttribute(vb);if(k){try{d=*eval(k)*}catch(a){alert(yb+k+zb)}}}else
>>>
>>> if(j==Ab){k=i.getAttribute(vb);if(k){try{e=*eval(k)*}catch(a){alert(yb+k+Bb)}}}}}__gwt_getMetaProperty=function(a){var
>>>
>>> b=c[a];return b==null?null:b};w=d;ipmweb.__errFn=e}...
>>>
>>> We added the CSP that blocks eval executions and the application runs
>>> correctly, meaning that those eval() is not called at runtime.
>>>
>>> Is there a way to get rid of those eval() functions? Is there someone
>>> who knows in which cases those eval() gets executed?
>>>
>>
--
You received this message because you are subscribed to the Google Groups "GWT
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-web-toolkit/d2c0722b-34ad-4a54-94f0-19a0677859cbn%40googlegroups.com.
