CSP eval() error #67

dennishzg · 2019-04-23T13:19:23Z

vue2-filters doesn't work with a secure/strong CSP.
Currently, vue2-filters only works if you add the unsafe-eval CSP directive. Bad practice and unsafe!

I have to use version 0.3.0 because multiple eval()'s are used in newer versions.

Example:

vue2-filters/dist/vue2-filters.js

Lines 106 to 107 in d9ac0e2

    
           "use strict"; 
        
           eval("__webpack_require__.r(__webpack_exports__);\n/* harmony import */ var _util_index__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! ../util/index */ \"./src/util/index.js\");\n\n/**\n * Filter filter for arrays\n *\n * @param {Array} arr\n * @param {String} prop\n * @param {String|Number} search\n */\n\nfunction filterBy(arr, search) {\n  var arr = _util_index__WEBPACK_IMPORTED_MODULE_0__[\"default\"].convertArray(arr);\n\n  if (search == null) {\n    return arr;\n  }\n\n  if (typeof search === 'function') {\n    return arr.filter(search);\n  } // cast to lowercase string\n\n\n  search = ('' + search).toLowerCase();\n  var n = 2; // extract and flatten keys\n\n  var keys = Array.prototype.concat.apply([], _util_index__WEBPACK_IMPORTED_MODULE_0__[\"default\"].toArray(arguments, n));\n  var res = [];\n  var item, key, val, j;\n\n  for (var i = 0, l = arr.length; i < l; i++) {\n    item = arr[i];\n    val = item && item.$value || item;\n    j = keys.length;\n\n    if (j) {\n      while (j--) {\n        key = keys[j];\n\n        if (key === '$key' && contains(item.$key, search) || contains(_util_index__WEBPACK_IMPORTED_MODULE_0__[\"default\"].getPath(val, key), search)) {\n          res.push(item);\n          break;\n        }\n      }\n    } else if (contains(item, search)) {\n      res.push(item);\n    }\n  }\n\n  return res;\n}\n\nfunction contains(val, search) {\n  var i;\n\n  if (_util_index__WEBPACK_IMPORTED_MODULE_0__[\"default\"].isPlainObject(val)) {\n    var keys = Object.keys(val);\n    i = keys.length;\n\n    while (i--) {\n      if (contains(val[keys[i]], search)) {\n        return true;\n      }\n    }\n  } else if (_util_index__WEBPACK_IMPORTED_MODULE_0__[\"default\"].isArray(val)) {\n    i = val.length;\n\n    while (i--) {\n      if (contains(val[i], search)) {\n        return true;\n      }\n    }\n  } else if (val != null) {\n    return val.toString().toLowerCase().indexOf(search) > -1;\n  }\n}\n\n/* harmony default export */ __webpack_exports__[\"default\"] = (filterBy);\n\n//# sourceURL=webpack:///./src/array/filterBy.js?");

freearhey · 2019-04-23T13:46:49Z

Thank you for bringing this issue to my attention. I'll try to figure it out and resolve it by the next release.

freearhey added the planned label Apr 23, 2019

freearhey added a commit that referenced this issue Jul 17, 2019

Fixes "CSP eval() error" issue #67

46eb27e

freearhey removed the planned label Jul 17, 2019

freearhey closed this as completed Jul 17, 2019

snyk-bot mentioned this issue Feb 24, 2020

Upgrade vue2-filters from 0.3.0 to 0.9.1 rundeck/rundeck#5823

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSP eval() error #67

CSP eval() error #67

dennishzg commented Apr 23, 2019

freearhey commented Apr 23, 2019

CSP eval() error #67

CSP eval() error #67

Comments

dennishzg commented Apr 23, 2019

freearhey commented Apr 23, 2019