-
Improvement
-
Resolution: Fixed
-
Minor
eval call in hudson-behaviour.js renderOnDemand method
Culprit
Proposal
https://www.jenkins.io/doc/developer/security/csp/#eval-calls
Testing
- links to
[JENKINS-71513] [core] CSP compatibility: eval call in hudson-behaviour.js (renderOnDemand)
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Status | Original: In Progress [ 3 ] | New: Open [ 1 ] |
Summary | Original: [core] CSP compatibility: eval call in hudson-behaviour.js | New: [core] CSP compatibility: eval call in hudson-behaviour.js (renderOnDemand) |
Assignee | New: Daniel Beck [ danielbeck ] |
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Status | Original: In Progress [ 3 ] | New: In Review [ 10005 ] |
Remote Link | New: This issue links to "PR#6865 (Web Link)" [ 28864 ] |
Released As | New: 2.447 | |
Resolution | New: Fixed [ 1 ] | |
Status | Original: In Review [ 10005 ] | New: Closed [ 6 ] |
This is a part of Stapler, so addressing this does not seem straightforward to me.
See:
At glance it might be possible to not build the makeStaplerProxy(...) call as string, but to assign separate attributes to an element, and then call makeStaplerProxy in JS in core instead of eval("makeStaplerProxy(...)"), but it requires deeper investigation.