https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341445#M9080 <HTML><HEAD></HEAD><BODY><P>Hi. This is still an issue for us. Has anyone experienced this on an external facing portal serving a WAB app?&nbsp;<A href="https://community.esri.com/migrated-users/3931">Randall Williams</A> Is the use of eval() a potential security issue?</P><P></P><P>Here's the error that the Eval() ends up producing on the client when the app is served from our external server.</P><P><IMG class="image-3 jive-image" src="https://community.esri.com/legacyfs/online/460173_pastedImage_4.png" /></P><P></P><P>Here's a screenshot of Chrome Dev Tools showing the code that is being served to the client externally when init.js contains the eval() function.<IMG class="image-1 jive-image" src="https://community.esri.com/legacyfs/online/460167_pastedImage_1.png" /></P><P></P><P>This is what we see when served internally. And there is no error.</P><P><IMG class="image-2 jive-image" src="https://community.esri.com/legacyfs/online/460172_pastedImage_3.png" /></P></BODY></HTML> Sun, 22 Sep 2019 21:40:52 GMT AndrewTerwiel 2019-09-22T21:40:52Z https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341442#M9077 <HTML><HEAD></HEAD><BODY><P>We have just had a web app fail due to a syntax error that was caused by the returned value of the eval() function. See<A href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval"> this document</A> for reasons not to use eval(). I've replaced this function with JSON.parse() and this has gotten our web app running again. Can anyone tell me why ESRI is using eval() in their code when it is known to cause problems?</P></BODY></HTML> Tue, 13 Nov 2018 02:27:17 GMT https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341442#M9077 AndrewTerwiel 2018-11-13T02:27:17Z https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341443#M9078 <HTML><HEAD></HEAD><BODY><P>Andrew,</P><P></P><P>&nbsp; &nbsp;I have not seen esri use the eval() function in their code. Can you provide a location where you see them using it?</P></BODY></HTML> Tue, 13 Nov 2018 13:53:10 GMT https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341443#M9078 RobertScheitlin__GISP 2018-11-13T13:53:10Z https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341444#M9079 <HTML><HEAD></HEAD><BODY><P>They have used it in <STRONG>init.js</STRONG> located in the root of a web app that we created with Web AppBuilder from our on-premise Enterprise Portal 10.5. There is a <STRONG>setLocale()</STRONG> function at line 208, then at line 217 within this function they have this:</P><PRE class="language-javascript line-numbers"><CODE><SPAN class="keyword token">var</SPAN> userObj <SPAN class="operator token">=</SPAN> <SPAN class="token function">eval</SPAN><SPAN class="punctuation token">(</SPAN><SPAN class="string token">'('</SPAN> <SPAN class="operator token">+</SPAN> <SPAN class="token function">unescape</SPAN><SPAN class="punctuation token">(</SPAN>allCookies<SPAN class="punctuation token">.</SPAN>esri_auth<SPAN class="punctuation token">)</SPAN> <SPAN class="operator token">+</SPAN> <SPAN class="string token">')'</SPAN><SPAN class="punctuation token">)</SPAN><SPAN class="punctuation token">;</SPAN>‍<SPAN class="line-numbers-rows"><SPAN>‍</SPAN></SPAN></CODE></PRE></BODY></HTML> Tue, 13 Nov 2018 20:17:33 GMT https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341444#M9079 AndrewTerwiel 2018-11-13T20:17:33Z https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341445#M9080 <HTML><HEAD></HEAD><BODY><P>Hi. This is still an issue for us. Has anyone experienced this on an external facing portal serving a WAB app?&nbsp;<A href="https://community.esri.com/migrated-users/3931">Randall Williams</A> Is the use of eval() a potential security issue?</P><P></P><P>Here's the error that the Eval() ends up producing on the client when the app is served from our external server.</P><P><IMG class="image-3 jive-image" src="https://community.esri.com/legacyfs/online/460173_pastedImage_4.png" /></P><P></P><P>Here's a screenshot of Chrome Dev Tools showing the code that is being served to the client externally when init.js contains the eval() function.<IMG class="image-1 jive-image" src="https://community.esri.com/legacyfs/online/460167_pastedImage_1.png" /></P><P></P><P>This is what we see when served internally. And there is no error.</P><P><IMG class="image-2 jive-image" src="https://community.esri.com/legacyfs/online/460172_pastedImage_3.png" /></P></BODY></HTML> Sun, 22 Sep 2019 21:40:52 GMT https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341445#M9080 AndrewTerwiel 2019-09-22T21:40:52Z https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341446#M9081 <HTML><HEAD></HEAD><BODY><P>This is related to:&nbsp;</P><P></P><P><SPAN style="font-size: 13px;"><SPAN class="">[#BUG-000121479 Web AppBuilder Apps Require 'unsafe-inline' and 'unsafe-eval' in ContentSecurityPolicy Header]</SPAN></SPAN></P><P></P><P>There are issues in both the WAB and in JS API 3.x that result in breaking changes when we prevent unsafe-eval. These issues are caused in part by upstream dependencies.</P><P></P><P>My understanding is that this is addressed in the next version of the WAB (The "Experienec Builder") which shoud be out later this year.</P><P><SPAN style="font-size: 13px;"><SPAN class=""></SPAN></SPAN></P></BODY></HTML> Mon, 23 Sep 2019 19:19:16 GMT https://community.esri.com/t5/arcgis-web-appbuilder-questions/use-of-eval-function-in-esri-codebase/m-p/341446#M9081 RandallWilliams 2019-09-23T19:19:16Z