Error when using CSP directive “script-src ‘unsafe-eval’ “

Resolved Matze Pabst
(@matthiaspabst)

1 month, 4 weeks ago

I’m trying to setup a Content Security Policy (CSP) as recommended by many security tools. Unfortunately, my forms don’t work if I don’t allow script-src 'unsafe-eval' in my policy. There’s at least one script in your plugin, that uses eval():

/wp-content/plugins/calculated-fields-form/js/cache/all.js?ver=5.4.0.5 – Line: 10066

Is there a chance, to rewrite this function to make it safer? eval() shouldn’t be used.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

Viewing 10 replies - 1 through 10 (of 10 total)

Plugin Author CodePeople2
(@codepeople2)

1 month, 4 weeks ago

Hello @matthiaspabst

In the current plugin version, it is required to evaluate the equations at runtime. However, the plugin escapes the fields’ values before using them in the equations. Note that you enter the equations by referring to the fields directly by their names, but the plugin must replace them and evaluate the equations. We are working on a mechanism to not depend on eval, but the plugin currently uses it safely.

Best regards.

Plugin Author CodePeople2
(@codepeople2)

1 month, 4 weeks ago

Hello @matthiaspabst

Please contact us through the plugin website. We will provide you with the code currently in progress to replace the “eval.”

https://cff.dwbooster.com/contact-us

Best regards.

Thread Starter Matze Pabst
(@matthiaspabst)

1 month, 4 weeks ago

Hello @codepeople2

Thank you for your quick reply! Even if the eval() function is used safely in this case (is that even possible?), it does not solve the problem with a strict CSP without script-src 'unsafe-eval'. I am glad to hear that you are taking this issue seriously and working on a solution. Is it already clear when an updated version will be available?

Best regards
Matthias

Thread Starter Matze Pabst
(@matthiaspabst)

1 month, 4 weeks ago

@codepeople2 Sorry, just noticed your 2nd reply. I will contact you.

Plugin Author CodePeople2
(@codepeople2)

1 month, 4 weeks ago

Hello @matthiaspabst

I wanted to follow up and see if you received the emails we sent from the plugin website. If you have, please let me know. Thank you!

Thread Starter Matze Pabst
(@matthiaspabst)

1 month, 4 weeks ago

@codepeople2

I received your emails, tested the script and it works! The form is not breaking now when using a CSP that doesn’t allow script-src 'unsafe-eval'.

Thank you for your quick support!

Plugin Author CodePeople2
(@codepeople2)

1 month, 4 weeks ago

Hello @matthiaspabst

Thank you so much for the feedback.

Best regards.

Plugin Author CodePeople2
(@codepeople2)

1 month, 3 weeks ago

Hello @matthiaspabst

We released a plugin update that includes the modifications to the file we previously provided and additional enhancements.

Best regards.

Thread Starter Matze Pabst
(@matthiaspabst)

1 month, 3 weeks ago

Hi @codepeople2

I installed this update and now the CSP errors because of the missing script-src 'unsafe-eval' are back. all.js line 10167 still uses eval().

I rolled back to the fbuilder.fcalculated.js you sent me a few days ago.

Best regards
Matthias
Plugin Author CodePeople2
(@codepeople2)

1 month, 3 weeks ago
Hello @matthiaspabst

It includes the evaluation in a try/catch block. If you have enabled the protection directives, it will use the exact code we provided you from the plugin website.
```
try {
   r = eval(eq);
} catch (err) {
   if ( err instanceof EvalError ) r = $.fbuilder['eval'].call(this, eq);
   else throw err;
}
```
Could you please provide the link to the page containing the form after you install the plugin’s update?
Best regards.

Viewing 10 replies - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.