Expand my Community achievements bar.

SOLVED

CQ HTTP eval in Classic UI Inbox

Avatar

Level 1

Since this is part of CQ API, I want to know how I can replace eval() here. Using  eval() is a vulnerability.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hey @abhishekk861844,

This is an old unanswered query now but hopefully you got around a fix for it!

Evaluating JavaScript code from a string is hazardous. A string may consist of malicious code that will be run on the user's machine, and the scope, where eval() was called will be exposed for possible attacks.

The most simple alternative is to use windows.Function(). It creates a global scope function from the string. 
Alternatively, eval(code) can artificially be replaced by (new Function('return '+code))()

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

Hey @abhishekk861844,

This is an old unanswered query now but hopefully you got around a fix for it!

Evaluating JavaScript code from a string is hazardous. A string may consist of malicious code that will be run on the user's machine, and the scope, where eval() was called will be exposed for possible attacks.

The most simple alternative is to use windows.Function(). It creates a global scope function from the string. 
Alternatively, eval(code) can artificially be replaced by (new Function('return '+code))()