Re: [Simile-Widgets] Query regarding use of eval in src\webapp\api\scripts\timeline.js

Thu, 08 Aug 2013 13:59:34 -0700 

Hey David,

Thank you. That is quite reassuring that the guys know about this and will 
take care of it.
Do you know where can I look up more information about this? Or, whom to 
contact about this? The fix indeed seems quite trivial.

I do see that the eval is still being there in the latest source code:

timeline_source_v2.3.0.zip\timeline_2.3.0\src\webapp\api\scripts\timeline.js

Is the above not used anymore??

Regards,
Deb

On Wednesday, 7 August 2013 00:36:52 UTC+2, David Karger wrote:
>
>  It certainly would be good to remove eval where possible.  Someone on the 
> simile list has been discussing a rewrite of timeline they've been working 
> on, and perhaps they've already taken care of this issue.  You might look 
> for the conversation in the archives and pick up this issue there.
>
> On 8/6/2013 11:11 PM, Deb wrote:
>  
> Hi, 
>
>  I have been a user of timeline.js for over a year now and must say I 
> really impressed by it and its community.
>
>  I have query regarding the use of *eval* in *
> src\webapp\api\scripts\timeline.js*.
> I read a lot about *eval *being bad and all, so was wondering can you not 
> replace the use of *eval* in *Timeline.loadJSON* && *
> Timeline._Impl.prototype.loadJSON* method with something like this for 
> peace of mind:
>  
> xhr.onreadystatechange = function() {
>   if (xhr.readyState == 4) {
>     // JSON.parse does not evaluate the attacker's scripts.
>     var resp = JSON.parse(xhr.responseText);
>   }}
>
>  
>  Source: Cross-Origin 
> XMLHttpRequest<http://developer.chrome.com/extensions/xhr.html>
>  
>  Regards,
> Deb
>
>  -- 
> You received this message because you are subscribed to the Google Groups 
> "SIMILE Widgets" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to [email protected] <javascript:>.
> To post to this group, send email to [email protected]<javascript:>
> .
> Visit this group at http://groups.google.com/group/simile-widgets.
> For more options, visit https://groups.google.com/groups/opt_out.
>  
>  
>
>
>  

-- 
You received this message because you are subscribed to the Google Groups 
"SIMILE Widgets" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/simile-widgets.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to