Merge pull request #332 from cksource/t/8584c

Removed eval usage from template.
ckeditor · Apr 4, 2017 · 3ee6035 · 3ee6035
2 parents da7d4f1 + d060126
commit 3ee6035
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 40 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -13,6 +13,7 @@ New Features:
 Fixed Issues:
 
 * [#16935](http://dev.ckeditor.com/ticket/16935): Fixed: [Chrome] Blurring editor in [Source Mode](http://ckeditor.com/addon/sourcearea) throws an error.
+* [#13381](http://dev.ckeditor.com/ticket/13381): Fixed: Dynamic code evaluation call in [`CKEDITOR.template`](http://docs.ckeditor.com/#!/api/CKEDITOR.template) removed. CKEditor can be used with `unsafe-inline` Content Security Policy. Thanks to [Caridy Patiño](http://caridy.name)!
 * [#16825](http://dev.ckeditor.com/ticket/16825): Fixed: [Chrome] Error thrown when destroying focused inline editor.
 * [#16857](http://dev.ckeditor.com/ticket/16857): Fixed: Ctrl + Shift + V blocked by copy formatting.
 * [#14714](http://dev.ckeditor.com/ticket/14714): [Webkit/Blink] Fixed: Exception thrown on refocusing a blurred inline editor.

diff --git a/core/template.js b/core/template.js
@@ -9,11 +9,7 @@
  */
 
 ( function() {
-	var cache = {},
-		rePlaceholder = /{([^}]+)}/g,
-		reEscapableChars = /([\\'])/g,
-		reNewLine = /\n/g,
-		reCarriageReturn = /\r/g;
+	var rePlaceholder = /{([^}]+)}/g;
 
 	/**
 	 * Lightweight template used to build the output string from variables.
@@ -27,42 +23,35 @@
 	 * @param {String} source The template source.
 	 */
 	CKEDITOR.template = function( source ) {
-		// Builds an optimized function body for the output() method, focused on performance.
-		// For example, if we have this "source":
-		//	'<div style="{style}">{editorName}</div>'
-		// ... the resulting function body will be (apart from the "buffer" handling):
-		//	return [ '<div style="', data['style'] == undefined ? '{style}' : data['style'], '">', data['editorName'] == undefined ? '{editorName}' : data['editorName'], '</div>' ].join('');
+		/**
+		 * Current template source.
+		 *
+		 * @readonly
+		 * @member CKEDITOR.template
+		 * @property {String}
+		 */
+		this.source = String( source );
+	};
 
-		// Try to read from the cache.
-		if ( cache[ source ] )
-			this.output = cache[ source ];
-		else {
-			var fn = source
-				// Escape chars like slash "\" or single quote "'".
-				.replace( reEscapableChars, '\\$1' )
-				.replace( reNewLine, '\\n' )
-				.replace( reCarriageReturn, '\\r' )
-				// Inject the template keys replacement.
-				.replace( rePlaceholder, function( m, key ) {
-					return "',data['" + key + "']==undefined?'{" + key + "}':data['" + key + "'],'";
-				} );
+	/**
+	 * Processes the template, filling its variables with the provided data.
+	 *
+	 * @method
+	 * @member CKEDITOR.template
+	 * @param {Object} data An object containing properties which values will be
+	 * used to fill the template variables. The property names must match the
+	 * template variables names. Variables without matching properties will be
+	 * kept untouched.
+	 * @param {Array} [buffer] An array into which the output data will be pushed into.
+	 * The number of entries appended to the array is unknown.
+	 * @returns {String/Number} If `buffer` has not been provided, the processed
+	 * template output data, otherwise the new length of `buffer`.
+	 */
+	CKEDITOR.template.prototype.output = function( data, buffer ) {
+		var output = this.source.replace( rePlaceholder, function( fullMatch, dataKey ) {
+			return data[ dataKey ] !== undefined ? data[ dataKey ] : fullMatch;
+		} );
 
-			fn = "return buffer?buffer.push('" + fn + "'):['" + fn + "'].join('');";
-			this.output = cache[ source ] = Function( 'data', 'buffer', fn );
-		}
+		return buffer ? buffer.push( output ) : output;
 	};
 } )();
-
-/**
- * Processes the template, filling its variables with the provided data.
- *
- * @method output
- * @param {Object} data An object containing properties which values will be
- * used to fill the template variables. The property names must match the
- * template variables names. Variables without matching properties will be
- * kept untouched.
- * @param {Array} [buffer] An array into which the output data will be pushed into.
- * The number of entries appended to the array is unknown.
- * @returns {String/Number} If `buffer` has not been provided, the processed
- * template output data, otherwise the new length of `buffer`.
- */
diff --git a/tests/tickets/8584/csp.html b/tests/tickets/8584/csp.html
@@ -0,0 +1,10 @@
+<head>
+	<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+</head>
+<body>
+	<textarea id="editor1">Sample content</textarea>
+
+	<script>
+		CKEDITOR.replace( 'editor1' );
+	</script>
+</body>
diff --git a/tests/tickets/8584/csp.md b/tests/tickets/8584/csp.md
@@ -0,0 +1,8 @@
+@bender-tags: tc, 4.7.0, 8584, editor
+@bender-ui: collapsed
+@bender-ckeditor-plugins: wysiwygarea, toolbar, undo, pastefromword, sourcearea, elementspath, list, link, basicstyles, stylescombo, font
+
+Check if the editor is usable:
+
+* the whole UI is rendered correctly,
+* there are no errors in console, especially connected with `Content-Security-Policy`.