Skip to content

unsafe-eval in generated javascript code #5464

Closed
@zlk89

Description

@zlk89

What version of protobuf and what language are you using?
Version: v3.6.1
Language: Javascript

What operating system (Linux, Windows, ...) and version?
Mac OS 10.12.6

What runtime / compiler are you using (e.g., python version or gcc version)
Use the v3.6.1 compiled binary file protoc to compile

What did you do?
Steps to reproduce the behavior:

  1. Compile proto file into js using command like this: protoc --js_out=import_style=commonjs,binary:output_dir schema.proto
  2. You will find a line in generated javascript code:
    var global = Function('return this')();
    which is an unsafe eval that triggers error on user browser, if csp header doesn't whitelist unsafe-eval

What did you expect to see
Generated code shouldn't use any unsafe eval.
It can be replaced by something like
var global = (typeof self == "undefined" ? typeof global == "undefined"? this : global : self);

What did you see instead?
Seeing an unnecessary unsafe eval.

Make sure you include information that can help us debug (full error message, exception listing, stack trace, logs).

Anything else we should know about your project / environment

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions