From 9618c0f3a3a8fb2f29096e88ac904a3a31ad5916 Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Tue, 17 Apr 2018 22:32:16 +0200 Subject: [PATCH] jade: avoid using eval once compiled Use of eval is handy when we need to automatically reload a template. However, in production, this is slow and unsafe. Moreover, when using CSP, we have to use 'unsafe-eval' which brings shame to most of us. It appears use of eval() is not needed because the template has already been translated to Javascript. We just need to bind "jade" to its local scope. So, we add an additional wrapper function binding "jade" to the local scope. Moreover, when compiling the template, we add a flag to the function to know it has already been compiled. In this case, we execute it with "jade" in its scope. Otherwise, we keep using eval. Quickly tested in both situations. Seem to work. Fix #274. --- isso/js/app/jade.js | 3 +++ isso/js/lib/requirejs-jade/jade.js | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/isso/js/app/jade.js b/isso/js/app/jade.js index 46d6269..0064d60 100644 --- a/isso/js/app/jade.js +++ b/isso/js/app/jade.js @@ -7,6 +7,9 @@ define(["libjs-jade-runtime", "app/utils", "jade!app/text/postbox", "jade!app/te var load = function(name, js) { templates[name] = (function(jade) { var fn; + if (js.compiled) { + return js(jade); + } eval("fn = " + js); return fn; })(runtime); diff --git a/isso/js/lib/requirejs-jade/jade.js b/isso/js/lib/requirejs-jade/jade.js index 59189a4..383d3f5 100644 --- a/isso/js/lib/requirejs-jade/jade.js +++ b/isso/js/lib/requirejs-jade/jade.js @@ -49,8 +49,12 @@ define(function() { write: function(plugin, name, write) { if (builds.hasOwnProperty(name)) { write("define('" + plugin + "!" + name +"', function () {" + - " var fn = " + builds[name] + ";" + - " return fn;" + + " var wfn = function (jade) {" + + " var fn = " + builds[name] + ";" + + " return fn;" + + " };" + + "wfn.compiled = true;" + + "return wfn;" + "});\n"); } }