Merge pull request #430 from struts-community-plugins/feature/avoid-eval

Avoids using eval() in JavaScript

struts2-jquery-grid-showcase/src/main/webapp/WEB-INF/content/index.jsp

@@ -6,7 +6,7 @@
 	<meta http-equiv="Content-Security-Policy" content="
                           default-src 'none';
                           script-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-hashes';
-                          style-src 'self' 'unsafe-inline' http://fonts.googleapis.com https://fonts.googleapis.com;
+                          style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.googleapis.com;
                           base-uri 'self';
                           font-src 'self'  http://fonts.gstatic.com https://fonts.gstatic.com;
                           img-src 'self' data:;

struts2-jquery-grid-showcase/src/main/webapp/styles/flexible-grids.css

@@ -13,7 +13,7 @@
  */
 
 /* Google Font API */
-@import url(http://fonts.googleapis.com/css?family=Droid+Serif:400,400italic,700|Droid+Sans:700);
+@import url(https://fonts.googleapis.com/css?family=Droid+Serif:400,400italic,700|Droid+Sans:700);
 
 /* import core styles | Basis-Stylesheets einbinden */
 @import url(../yaml/core/base.css);

struts2-jquery-plugin/src/main/resources/template/jquery/datepicker-close.ftl

@@ -88,7 +88,7 @@ jQuery(document).ready(function () {
 	options_${escapedOptionId}.numberofmonths = "${parameters.numberOfMonths}";
   </#if>
   <#if parameters.showOptions! != "">
-	options_${escapedOptionId}.showoptions = "${parameters.showOptions}";
+	options_${escapedOptionId}.showoptions = "${parameters.showOptions?no_esc}";
   </#if>
   <#if parameters.yearRange! != "">
 	options_${escapedOptionId}.yearRange = "${parameters.yearRange}";

struts2-jquery-plugin/src/main/resources/template/js/plugins/jquery-ui-timepicker-addon.js

@@ -177,7 +177,7 @@
 					var attrValue = $input.attr('time:' + attrName);
 					if (attrValue) {
 						try {
-							inlineSettings[attrName] = eval(attrValue);
+							inlineSettings[attrName] = attrValue;
 						} catch (err) {
 							inlineSettings[attrName] = attrValue;
 						}

struts2-jquery-plugin/src/main/resources/template/js/struts2/jquery.struts2.js

@@ -84,16 +84,16 @@
 	/**Change Parameter Value in URL */
 	changeParam : function(url, param, value) {
 		var ua = url.split("?"), // split url
-			pa = ua[1].split("&"), // split query 
+			pa = ua[1].split("&"), // split query
 			ia = [],
-			i; 
-		for (i=0; i < pa.length; i++) { 
-			ia = pa[i].split("="); // split name/value 
-			if (ia[0] === param) { 
-				pa[i] = ia[0] + "=" + value; 
+			i;
+		for (i=0; i < pa.length; i++) {
+			ia = pa[i].split("="); // split name/value
+			if (ia[0] === param) {
+				pa[i] = ia[0] + "=" + value;
 			}
 		}
-		return ua[0] + "?" + pa.join("&"); 
+		return ua[0] + "?" + pa.join("&");
 	},
 
 	/** Load required JavaScript Resourcess */
@@ -114,9 +114,9 @@
 			files = files.split(",");
 		}
 		$.each(files, function(i, file) {
-			
+
 			file = self.addParam(file, "s2j="+$.struts2_jquery.version);
-			
+
 			if (!$.struts2_jquery.scriptCache[file]) {
 				self.log('load require script ' + (path + file));
 				$.ajax( {
@@ -194,7 +194,7 @@
 		if (!self.loadAtOnce) {
 			self.require("js/plugins/jquery.form" + self.minSuffix + ".js");
 		}
-		
+
 		params.type = "POST";
 		params.data = {
 				"struts.enableJSONValidation": true,
@@ -556,7 +556,7 @@
 		$(window).bind('hashchange', params, function(e) {
 			var topic = e.getState(e.data.target) || '';
 			$.each(e.fragment.split('&'), function(i, f) {
-				var fragment = f.split('='); 
+				var fragment = f.split('=');
 				if(self.historyelements[fragment[0]] !== fragment[1] && fragment[1] !== self.lasttopic ) {
 					self.lasttopic = topic;
 					$.publish(fragment[1], e.data.options);
@@ -571,7 +571,7 @@
 			actionTopic = '_sj_action_' + o.id,
 			href = o.href,
 			effect = {};
-			
+
 		o.actionTopic = actionTopic;
 
 		if (href === null || href === "") {
@@ -646,7 +646,7 @@
 			effect = {},
 			bindel = $elem,
 			eventsStr = 'click';
-		
+
 		self.log('container : ' + o.id);
 		self.action($elem, o, self.handler.load, 'div');
 
@@ -738,12 +738,12 @@
 					});
 				}
 			}
-			
+
 			if (ui && o.resizable) {
 				ui.resizable($elem, o);
 			}
 		}
-		
+
 		if (ui && o.draggable) {
 			ui.draggable($elem, o);
 		}
@@ -756,7 +756,7 @@
 		if (ui && o.sortable) {
 			ui.sortable($elem, o);
 		}
-		
+
 		if (o.onblurtopics) {
 			$.each(o.onblurtopics.split(','), function(i, topic) {
 				$elem.blur( function() {
@@ -825,7 +825,7 @@
 				});
 			}
 		}
-		
+
 	},
 
 	/** Handle dynamic Select Boxes */
@@ -868,7 +868,7 @@
 			cform,cf,formid,randomid;
 
 		o.preventAction = true;
-		
+
 		if (o.opendialog) {
 			$.struts2_jquery_ui.opendialog($elem, o);
 		}
@@ -945,8 +945,8 @@
 				}
 			});
 			$.each(o.formids.split(','), function(i, f) {
-				$(self.escId(f)).bind("submit", function(e) { 
-					e.preventDefault(); 
+				$(self.escId(f)).bind("submit", function(e) {
+					e.preventDefault();
 				});
 			});
 			$elem.click( function() {
@@ -957,22 +957,22 @@
 		else {
 			// Submit Forms without AJAX
 			if(o.formids === undefined) {
-				return; 
+				return;
 			}
 			$elem.click( function(e) {
 				var form = $(self.escId(o.formids)),
 					orginal = {};
-				orginal.formvalidate = true; 
-				e.preventDefault(); 
+				orginal.formvalidate = true;
+				e.preventDefault();
 				if (o.validate) {
 					orginal.formvalidate = self.validateForm(form, o);
 					if (o.onaftervalidation) {
-						$.each(o.onaftervalidation.split(','), function(i, topic) { 
+						$.each(o.onaftervalidation.split(','), function(i, topic) {
 							$elem.publish(topic, $elem, orginal);
 						});
-					}  
+					}
 				}
-				
+
 				if(orginal.formvalidate) {
                     if ( o.href && o.href != "#") {
                         form[0].action = o.href;
@@ -987,11 +987,11 @@
 				$elem.subscribe(o.listentopics, function(event) {
 					var form = $(self.escId(event.data.formids)),
 						orginal = {formvalidate : true};
-					
+
 					if (event.data.validate) {
 						orginal.formvalidate = self.validateForm(form, o);
 						if (o.onaftervalidation) {
-							$.each(o.onaftervalidation.split(','), function(i, topic) { 
+							$.each(o.onaftervalidation.split(','), function(i, topic) {
 								$elem.publish(topic, $elem, orginal);
 							});
 						}
@@ -1024,7 +1024,7 @@
 			indi, always,
 			modus = 'html',
 			params = {};
-			
+
 		if (data) {
 			$.extend(o, data);
 		}
@@ -1034,7 +1034,7 @@
 		s2j.lasttopic = o.actionTopic;
 		indi = o.indicatorid;
 		always = o.onalw;
-		
+
 		isDisabled = o.disabled === null ? isDisabled : o.disabled;
 		isDisabled = container.prop('disabled');
 		if (event.originalEvent) { // means that container load is being triggered by other action (link button/link click) need to see if that button/link is disabled
@@ -1229,12 +1229,12 @@
 
 			if (o.validate && orginal.options.submit)  {
 				orginal.options.submit = s2j.validateForm(form, o);
-				orginal.formvalidate = orginal.options.submit; 
+				orginal.formvalidate = orginal.options.submit;
 				if (o.onaftervalidation) {
-					$.each(o.onaftervalidation.split(','), function(i, topic) { 
+					$.each(o.onaftervalidation.split(','), function(i, topic) {
 						elem.publish(topic, elem, orginal);
 					});
-				}  
+				}
 			}
 			if (orginal.options.submit) {
 				s2j.showIndicator(indi);

struts2-jquery-plugin/src/main/resources/template/js/struts2/jquery.ui.struts2.js

@@ -71,7 +71,7 @@
                 ]);
             }
             if (!dao) {
-                dao = eval("( " + daos + " )");
+                dao = Function("return " + daos);
             }
             else {
                 dao = {};
@@ -102,7 +102,7 @@
                 ]);
             }
             if (!doo) {
-                doo = eval("( " + doos + " )");
+                doo = Function("return " + doos);
             }
             else {
                 doo = {};
@@ -131,7 +131,7 @@
                 ]);
             }
             if (!seo) {
-                seo = eval("( " + seos + " )");
+                seo = Function("return " + seos);
             }
             else {
                 seo = {};
@@ -162,7 +162,7 @@
                 ]);
             }
             if (!soo) {
-                soo = eval("( " + soos + " )");
+                soo = Function("return " + soos);
             }
             else {
                 soo = {};
@@ -197,7 +197,7 @@
                 ]);
             }
             if (!ro) {
-                ro = eval("( " + ros + " )");
+                ro = Function("return " + ros);
             }
             else {
                 ro = {};
@@ -325,7 +325,7 @@
 
             if (o.disabledtabs && o.disabledtabs !== 'false') {
                 if (!disabledtabs) {
-                    o.disabled = eval("( " + disabledtabsStr + " )");
+                    o.disabled = Boolean(disabledtabsStr);
                 }
             }
             if (o.openonmouseover) {
@@ -597,15 +597,15 @@
                 noms = o.numberofmonths;
                 nom = window[noms];
                 if (!nom) {
-                    params.numberOfMonths = eval("( " + noms + " )");
+                    params.numberOfMonths = Number(noms);
                 }
             }
 
             if (o.showoptions) {
                 sos = o.showoptions;
                 so = window[sos];
                 if (!so) {
-                    params.showOptions = eval("( " + sos + " )");
+                    params.showOptions = Function("return " + sos);
                 }
             }
 

struts2-jquery-showcase/src/main/webapp/WEB-INF/content/datatables/datatables.jsp

@@ -7,12 +7,9 @@
 	JQuery DataTables integration Demo : Client-side processing, jquery UI theme, DOM dataset
 </p>
 <!-- Required third party libs for pdf and excel export-->
-<script type="text/javascript" language="javascript" src="http://cdnjs.cloudflare.com/ajax/libs/jszip/2.5.0/jszip.min.js">
-</script>
-<script type="text/javascript" language="javascript" src="http://cdn.rawgit.com/bpampuch/pdfmake/0.1.18/build/pdfmake.min.js">
-</script>
-<script type="text/javascript" language="javascript" src="http://cdn.rawgit.com/bpampuch/pdfmake/0.1.18/build/vfs_fonts.js">
-</script>
+<s:script src="https://cdnjs.cloudflare.com/ajax/libs/jszip/2.5.0/jszip.min.js"/>
+<s:script src="https://cdn.rawgit.com/bpampuch/pdfmake/0.1.18/build/pdfmake.min.js"/>
+<s:script src="https://cdn.rawgit.com/bpampuch/pdfmake/0.1.18/build/vfs_fonts.js"/>
 
 <sjdt:datatables datatablesTheme="jqueryui" buttons="['colvis','pdf','excel','csv','print','copy']" dom="Blfrtip" lengthMenu="[5,10,15,20]" pageLength="15"
 columnDefs="[{targets:[4],render:$.fn.dataTable.render.number(',','.',2)}]"
@@ -52,15 +49,12 @@ responsive="true" style="width:100%;" >
             &lt;h2&gt;DataTables&lt;/h2&gt;
 
 &lt;p class=&quot;text&quot;&gt;
-    JQuery DataTables intégration Demo : Client-side processing, jquery UI theme, DOM dataset
+    JQuery DataTables integration Demo : Client-side processing, jquery UI theme, DOM dataset
 &lt;/p&gt;
 &lt;!-- Required third party libs for pdf and excel export--&gt;
-&lt;script type=&quot;text/javascript&quot; language=&quot;javascript&quot; src=&quot;http://cdnjs.cloudflare.com/ajax/libs/jszip/2.5.0/jszip.min.js&quot;&gt;
-&lt;/script&gt;
-&lt;script type=&quot;text/javascript&quot; language=&quot;javascript&quot; src=&quot;http://cdn.rawgit.com/bpampuch/pdfmake/0.1.18/build/pdfmake.min.js&quot;&gt;
-&lt;/script&gt;
-&lt;script type=&quot;text/javascript&quot; language=&quot;javascript&quot; src=&quot;http://cdn.rawgit.com/bpampuch/pdfmake/0.1.18/build/vfs_fonts.js&quot;&gt;
-&lt;/script&gt;
+&lt;s:script src=&quot;https://cdnjs.cloudflare.com/ajax/libs/jszip/2.5.0/jszip.min.js&quot;/&gt;
+&lt;s:script src=&quot;https://cdn.rawgit.com/bpampuch/pdfmake/0.1.18/build/pdfmake.min.js&quot;/&gt;
+&lt;s:script src=&quot;https://cdn.rawgit.com/bpampuch/pdfmake/0.1.18/build/vfs_fonts.js&quot;/&gt;
 
 &lt;sjdt:datatables datatablesTheme=&quot;jqueryui&quot; buttons=&quot;['colvis','pdf','excel','csv','print','copy']&quot; dom=&quot;Blfrtip&quot; lengthMenu=&quot;[5,10,15,20]&quot; pageLength=&quot;15&quot;
 columnDefs=&quot;[{targets:[4],render:$.fn.dataTable.render.number(',','.',2)}]&quot;
@@ -141,7 +135,7 @@ public class Datatables extends ActionSupport implements SessionAware {
         return this.myCustomers;
     }
 }
-            
+
             </code>
       </pre>
 </div>

struts2-jquery-showcase/src/main/webapp/WEB-INF/content/index.jsp

@@ -6,7 +6,7 @@
     <meta http-equiv="Content-Security-Policy" content="
                           default-src 'none';
                           script-src 'self' 'unsafe-inline' 'unsafe-eval' 'unsafe-hashes' https://code.jquery.com;
-                          style-src 'self' 'unsafe-inline' http://fonts.googleapis.com https://fonts.googleapis.com https://code.jquery.com;
+                          style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.googleapis.com https://code.jquery.com;
                           base-uri 'self';
                           font-src 'self' http://fonts.gstatic.com https://fonts.gstatic.com;
                           img-src 'self' data:;

struts2-jquery-showcase/src/main/webapp/styles/flexible-grids.css

@@ -13,7 +13,7 @@
  */
 
 /* Google Font API */
-@import url(http://fonts.googleapis.com/css?family=Droid+Serif:400,400italic,700|Droid+Sans:700);
+@import url(https://fonts.googleapis.com/css?family=Droid+Serif:400,400italic,700|Droid+Sans:700);
 
 /* import core styles | Basis-Stylesheets einbinden */
 @import url(../yaml/core/base.css);