Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

CQ HTTP eval in Classic UI Inbox

Avatar

Level 1

Since this is part of CQ API, I want to know how I can replace eval() here. Using  eval() is a vulnerability.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hey @abhishekk861844,

This is an old unanswered query now but hopefully you got around a fix for it!

Evaluating JavaScript code from a string is hazardous. A string may consist of malicious code that will be run on the user's machine, and the scope, where eval() was called will be exposed for possible attacks.

The most simple alternative is to use windows.Function(). It creates a global scope function from the string. 
Alternatively, eval(code) can artificially be replaced by (new Function('return '+code))()

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

Hey @abhishekk861844,

This is an old unanswered query now but hopefully you got around a fix for it!

Evaluating JavaScript code from a string is hazardous. A string may consist of malicious code that will be run on the user's machine, and the scope, where eval() was called will be exposed for possible attacks.

The most simple alternative is to use windows.Function(). It creates a global scope function from the string. 
Alternatively, eval(code) can artificially be replaced by (new Function('return '+code))()