Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EvalError: Refused to evaluate a string as JavaScript #1158

Closed
lhorie opened this issue Sep 25, 2018 · 2 comments
Closed

EvalError: Refused to evaluate a string as JavaScript #1158

lhorie opened this issue Sep 25, 2018 · 2 comments

Comments

@lhorie
Copy link

lhorie commented Sep 25, 2018

React-axe doesn't work when loaded in a page with strict content security policies (e.g. it throws EvalError if e.g. script-src 'self')

react-axe version: 3.0.2
axe-core version: 3.0.0

One workaround is to disable CSP rules in development, but ideally, CSP rules should be the same in dev and prod to avoid crashes if an unrelated package also abuses eval-like constructs

@WilcoFiers
Copy link
Contributor

Can you raise this issue on react-axe instead? This is not an issue with the engine.
https://github.com/dequelabs/react-axe/issues/new

@lhorie
Copy link
Author

lhorie commented Sep 28, 2018

I can but I don't believe it's an issue in react-axe.

Here's where the code throws:

// node_modules/axe-core/axe.js:1755
  'use strict';
  axe.imports['doT'] = function(module, exports, define, require, process) {
    var global = Function('return this')(); // <---

I assumed it had something to do with this:

file: './node_modules/dot/doT.js',
hence why I filed here

The react-axe package does not explicitly depend on doT

I also found other instances, e.g.

// node_modules/axe-core/axe.js:243
metadata.messages[prop] = new Function('return ' + metadata.messages[prop] + ';')();

which presumably comes from

metadata.messages[prop] = new Function(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants