Adobe Experience Manager Sites & More

abhishekk861844 · 5/10/21

Since this is part of CQ API, I want to know how I can replace eval() here. Using eval() is a vulnerability.

Rohan_Garg · 9/18/24

Hey @abhishekk861844,

This is an old unanswered query now but hopefully you got around a fix for it!

Evaluating JavaScript code from a string is hazardous. A string may consist of malicious code that will be run on the user's machine, and the scope, where eval() was called will be exposed for possible attacks.

The most simple alternative is to use windows.Function(). It creates a global scope function from the string.
Alternatively, eval(code) can artificially be replaced by (new Function('return '+code))()

View solution in original post

Rohan_Garg · 9/18/24

Hey @abhishekk861844,

This is an old unanswered query now but hopefully you got around a fix for it!

Evaluating JavaScript code from a string is hazardous. A string may consist of malicious code that will be run on the user's machine, and the scope, where eval() was called will be exposed for possible attacks.

The most simple alternative is to use windows.Function(). It creates a global scope function from the string.
Alternatively, eval(code) can artificially be replaced by (new Function('return '+code))()

Adobe Experience Manager Sites & More

CQ HTTP eval in Classic UI Inbox

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe