New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Template's 'new Function' blocked by CSP #906
Comments
The use of the |
Let's tag 'em as we close 'em ;) |
Is there any chance at all this could be reconsidered. Some googling reveals a number of people running into this, and it would be brilliant if one of underscore.js's design goals is: runs perfectly in environments where CSP is deployed. Note that this is not Chrome-specific, this will appear in any CSP-enabled browser. |
Not without us implementing a JavaScript interpreter, I think. |
That is unfortunate! Thanks for answering though... |
@jvoisin One option is to use lodash-cli. For support on that head over to their gitter chat. lodash template="./*.jst" settings="{interpolate:/\{\{([sS]+?)\}\}/g}" |
The template rendering causes a CSP error, violating the unsafe-eval property: http://www.w3.org/TR/CSP/#script-src
render = new Function(settings.variable || 'obj', '_', source);
This was pointed out, and fixed, in Mustache a few months back: cweider/mustache.js@dac6470
The text was updated successfully, but these errors were encountered: