Avoid using new Function()

Question

Avoid using new Function()

Opened this issue 5 years ago · 6 comments

The new Function(...), user here: https://github.com/blueimp/JavaScript-Templates/blob/master/js/tmpl.js#L24

is a bad practice, and disabled by default if using Content Security Policy (see here)

Can this be replaced? Otherwise who uses CSP must add unsafe-eval to use this library, allowing potential secutiry vulnerabilities.

Answer 1 · 2019-12-01T04:28:10.000Z

For any production use, my recommendation is to make use of compiled templates.
Using those compiled template functions only requires a minimal runtime that does not make use of new Function or any other unsafe-eval construct.

Answer 2 · 2020-04-12T05:12:41.000Z

Can you provide an example on how to use the "compiled template" to produce javascript and what the output looks like?

Trying your example only showed me this:

basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')")

case `uname` in
    *CYGWIN*|*MINGW*|*MSYS*) basedir=`cygpath -w "$basedir"`;;
esac

if [ -x "$basedir/node" ]; then
  "$basedir/node"  "$basedir/node_modules/blueimp-tmpl/js/compile.js" "$@"
  ret=$?
else 
  node  "$basedir/node_modules/blueimp-tmpl/js/compile.js" "$@"
  ret=$?
fi
exit $ret

It opened up Atom and showed that Greek to me.

Or,

c:\Users\bob\node\tmpl>tmpl.js index.html > tmpl.js
The process cannot access the file because it is being used by another process.

Answer 3 · 2020-04-12T08:47:01.000Z

Hi @oliverbob,
that code snippet you posted does not look like anything from this project, so it's likely an artifact from your environment.

Have you followed the guide here?
https://github.com/blueimp/JavaScript-Templates#compiled-templates

Answer 4 · 2020-04-13T11:13:30.000Z

Hi Sebastian,

It is the result of following the tutorial/documentation you have provided. I followed the guide step by step and installed the template like:

npm install blueimp-tmpl -g

But may be this is an issue on node. I'm using the latest version on windows. Can you provide a concrete example of how to use the tmpl.js compiler in the wiki?

Thank you very much,

Oliver

Answer 5 · 2020-04-13T13:14:10.000Z

Sorry I don't provide support to run this on Windows.
If you're on Windows 10, I recommend you to run it inside of Windows Subsystem for Linux.

However if you want to figure out how to make this work under Windows and would like to write a guide with step-by-step instructions, I'd gladly add a link to the Wiki.

Answer 6 · 2020-04-24T10:23:45.000Z

Ok, I will try this on puppy linux.