Server: FileSummary (filelist) uses JS Eval

Created on 3 Sep 2018  路  5Comments  路  Source: nextcloud/server

For https://github.com/orgs/nextcloud/projects/18

The FileSummary uses handlebars and compiles the templates on the fly. This prevents a stricter CSP.

1. to develop enhancement
Source
picture rullzer

Most helpful comment

we didn't do ship precompiled templates because $forgotten_issues

picture blizzz on 4 Sep 2018
😄2

All 5 comments

@nextcloud/javascript seems that the simplest thing here is just moving this to plain javascript. Converting to vue will happen when the whole fiellist is moved to vue.

For now just moving it to plain js is probably easiest and quickest.

rullzer picture rullzer on 3 Sep 2018

GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/11029 (Contacts menu uses javascript eval), https://github.com/nextcloud/server/issues/5663 (Custom JS in theme failing: 'unsafe-eval'), https://github.com/nextcloud/server/issues/8089 (Filelist not updated in Groupfolder), https://github.com/nextcloud/server/issues/4487 (JS tests failing on CI), and https://github.com/nextcloud/server/pull/11023 (Bump JS deps Accessibility).

nextcloud-bot picture nextcloud-bot on 3 Sep 2018

thus, handlebars tempalte compilation in general is evil?

blizzz picture blizzz on 3 Sep 2018
👍2

thus, handlebars tempalte compilation in general is evil?

@blizzz not by definition. Unsafe eval is evil :wink: . You can also compile your templates and upload the compiled js and use the templates then.

rullzer picture rullzer on 3 Sep 2018

we didn't do ship precompiled templates because $forgotten_issues

blizzz picture blizzz on 4 Sep 2018
😄2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MorrisJobke picture MorrisJobke  路  3Comments
williambargent picture williambargent  路  3Comments
dl5rcw picture dl5rcw  路  3Comments
ChristophWurst picture ChristophWurst  路  3Comments
Django-BOfH picture Django-BOfH  路  3Comments