Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details

All Projects → atom → Loophole

atom / Loophole

Licence: mit

A hack to enable use of libraries that depend on a basic form of eval in Atom with CSP enabled

Programming Languages

coffeescript

4710 projects

Eval Loophole

This is a hack to enable third-party libraries that depend on a limited subset of eval semantics to work in Atom with a content security policy that forbids calls to eval.

{allowUnsafeEval, allowUnsafeNewFunction} = require 'loophole'

allowUnsafeEval ->
  crazyLibrary.exploitLoophole() # allows `eval(...)`

allowUnsafeNewFunction ->
  crazyLibrary.exploitLoophole() # allows `new Function(...)`

You can also use the exported Function constructor directly:

{Function} = require 'loophole'
f = new Function("return 1 + 1;")

How?

allowUnsafeEval replaces eval with a call to vm.runInThisContext, which won't perfectly emulate eval but is good enough in certain circumstances, like compiling PEG.js grammars.

allowUnsafeNewFunction temporarily replaces global.Function with loophole.Function, which passes the source of the desired function to vm.runInThisContext.

Why?

If there's a loophole, why even enable CSP? It still prevents developers from accidentally invoking eval with legacy libraries. For example, did you know that jQuery runs eval when you pass it content with script tags? If you want eval, you'll need to explicitly ask for it.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 40

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (3) 🔗