6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
10/20/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#13379] Discontinue eval
*
Your Email Address
*
Spam protection
Enter the letters below:
.__ . ..__..___.. . | \| || | _/ |\ | |__/|/\||__\./__.| \|
Comment
> We are in the process of deploying csp headers for horde. Through > that we discovered usage of js eval in horde. Especially for a > webmail and the associated danger of injections it would be nice if > horde could discontinue the use of eval (and maybe even inline > js/css). > > One particular case we see is in DimpBase>>loadPreview. It seems it > is only used atm to display modal dialogs from > horde/imp/lib/Ajax/Imple/PassphraseDialog.php. > > Then in the dynamic composer: > new Function("t", "return t.sub(/<[^>]*>$/, > \"\").strip().escapeHTML()") afaik this is a static string, so why > even new Function? > > Then there are some reports from > /imp/dynamic.php?page=message&mailbox=... that I was not able to > tackle yet. > > There might be more occurrences. > > If you are interested in fixing those, we can provide more data as > soon as we have better processing for the logs.
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers