It certainly would be good to remove eval where possible. Someone on
the simile list has been discussing a rewrite of timeline they've been
working on, and perhaps they've already taken care of this issue. You
might look for the conversation in the archives and pick up this issue
there.
On 8/6/2013 11:11 PM, Deb wrote:
Hi,
I have been a user of timeline.js for over a year now and must say I
really impressed by it and its community.
I have query regarding the use of /eval/ in
/src\webapp\api\scripts\timeline.js/.
I read a lot about /eval /being bad and all, so was wondering can you
not replace the use of /eval/ in /Timeline.loadJSON/ &&
/Timeline._Impl.prototype.loadJSON/ method with something like this
for peace of mind:
xhr.onreadystatechange= function() {
if (xhr.readyState== 4) {
// JSON.parse does not evaluate the attacker's scripts.
var resp= JSON.parse(xhr.responseText);
}
}
Source: Cross-Origin XMLHttpRequest
<http://developer.chrome.com/extensions/xhr.html>
Regards,
Deb
--
You received this message because you are subscribed to the Google
Groups "SIMILE Widgets" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/simile-widgets.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "SIMILE
Widgets" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/simile-widgets.
For more options, visit https://groups.google.com/groups/opt_out.
