Description
eval() usage (demos / Block Factory)
eval() is used in several demo and Block Factory files. If block definitions or generated code can be influenced by untrusted input (e.g. exported blocks, loaded workspace), this can lead to code injection.
| Location |
Line |
Usage |
packages/blockly/demos/blockfactory/block_exporter_tools.js |
141 |
eval(blockDefs) on generated block definitions |
packages/blockly/demos/blockfactory/factory_utils.js |
855 |
eval(blockDefsString) in addBlockDefinitionsFromBlockTypes |
packages/blockly/demos/blockfactory/factory.js |
220 |
eval(code) for JavaScript block definitions (errors only logged, not shown in UI) |
packages/blockly/demos/code/code.js |
601 |
eval(code) for running generated JS (try/catch + alert) |
| Risk: High if input is ever user/attacker-controlled; medium if demos only run trusted content. |
|
|
document.write (Code demo)
- File:
packages/blockly/demos/code/code.js (lines 621–624)
- Usage:
document.write for script loading.
- Issues:
- Can break the page if run after load.
- Generally deprecated and can enable script injection if the path or
Code.LANG is influenced by input.
- Severity: Medium in a demo context.
Description
eval()usage (demos / Block Factory)eval()is used in several demo and Block Factory files. If block definitions or generated code can be influenced by untrusted input (e.g. exported blocks, loaded workspace), this can lead to code injection.packages/blockly/demos/blockfactory/block_exporter_tools.jseval(blockDefs)on generated block definitionspackages/blockly/demos/blockfactory/factory_utils.jseval(blockDefsString)inaddBlockDefinitionsFromBlockTypespackages/blockly/demos/blockfactory/factory.jseval(code)for JavaScript block definitions (errors only logged, not shown in UI)packages/blockly/demos/code/code.jseval(code)for running generated JS (try/catch + alert)document.write(Code demo)packages/blockly/demos/code/code.js(lines 621–624)document.writefor script loading.Code.LANGis influenced by input.