bug #27584 Avoid calling eval when there is no script embedded in the toolbar (stof)

This PR was merged into the 4.1 branch. Discussion ---------- Avoid calling eval when there is no script embedded in the toolbar | Q | A | ------------- | --- | Branch? | 4.1 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #27583 | License | MIT | Doc PR | n/a #27189 changed the way embedded scripts were eval'd for the toolbar. But it also refactored the code in a way triggering `eval` all the time, even when there is no embedded script, which was reported several times as an issue with CSP. While the debug panel (showing dumps) still requires having `unsafe-eval` in the CSP header (due to embedding scripts that we eval), this PR reverts back to the behavior of Symfony 4.0 and older, where only toolbars actually embedding scripts have this CSP compat issue. Commits ------- a0f78a5e0b Avoid calling eval when there is no script embedded in the toolbar
2018-06-13 07:33:56 +02:00 · 2018-06-13 07:33:56 +02:00 · fb4c79bca7
commit fb4c79bca7
parent 413af69e1d a0f78a5e0b
1 changed files with 5 additions and 4 deletions
--- a/src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/base_js.html.twig
+++ b/src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/base_js.html.twig
@ -419,9 +419,10 @@
                    function(xhr, el) {

                        /* Evaluate in global scope scripts embedded inside the toolbar */
-                        eval.call({}, ([].slice.call(el.querySelectorAll('script')).map(function (script) {
-                          return script.firstChild.nodeValue;
-                        }).join(';\n')));
+                        var i, scripts = [].slice.call(el.querySelectorAll('script'));
+                        for (i = 0; i < scripts.length; ++i) {
+                            eval.call({}, scripts[i].firstChild.nodeValue);
+                        }

                        el.style.display = -1 !== xhr.responseText.indexOf('sf-toolbarreset') ? 'block' : 'none';

@ -440,7 +441,7 @@
                        }

                        /* Handle toolbar-info position */
-                        var i, toolbarBlocks = [].slice.call(el.querySelectorAll('.sf-toolbar-block'));
+                        var toolbarBlocks = [].slice.call(el.querySelectorAll('.sf-toolbar-block'));
                        for (i = 0; i < toolbarBlocks.length; ++i) {
                            toolbarBlocks[i].onmouseover = function () {
                                var toolbarInfo = this.querySelectorAll('.sf-toolbar-info')[0];