Use of eval() function in ESRI codebase

420
4
11-12-2018 06:27 PM
AndrewTerwiel
Occasional Contributor II

We have just had a web app fail due to a syntax error that was caused by the returned value of the eval() function. See this document for reasons not to use eval(). I've replaced this function with JSON.parse() and this has gotten our web app running again. Can anyone tell me why ESRI is using eval() in their code when it is known to cause problems?

Tags (1)
0 Kudos
4 Replies
RobertScheitlin__GISP
MVP Esteemed Contributor

Andrew,

   I have not seen esri use the eval() function in their code. Can you provide a location where you see them using it?

0 Kudos
AndrewTerwiel
Occasional Contributor II

They have used it in init.js located in the root of a web app that we created with Web AppBuilder from our on-premise Enterprise Portal 10.5. There is a setLocale() function at line 208, then at line 217 within this function they have this:

var userObj = eval('(' + unescape(allCookies.esri_auth) + ')');
AndrewTerwiel
Occasional Contributor II

Hi. This is still an issue for us. Has anyone experienced this on an external facing portal serving a WAB app? Randall Williams Is the use of eval() a potential security issue?

Here's the error that the Eval() ends up producing on the client when the app is served from our external server.

Here's a screenshot of Chrome Dev Tools showing the code that is being served to the client externally when init.js contains the eval() function.

This is what we see when served internally. And there is no error.

0 Kudos
RandallWilliams
Esri Regular Contributor

This is related to: 

[#BUG-000121479 Web AppBuilder Apps Require 'unsafe-inline' and 'unsafe-eval' in ContentSecurityPolicy Header]

There are issues in both the WAB and in JS API 3.x that result in breaking changes when we prevent unsafe-eval. These issues are caused in part by upstream dependencies.

My understanding is that this is addressed in the next version of the WAB (The "Experienec Builder") which shoud be out later this year.

0 Kudos