diff --git a/CHANGES.md b/CHANGES.md index 5dca56ef5..827cc72ef 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,5 +1,9 @@ # Changelog +## 3.3.4 (Unreleased) + +- Avoid `eval` (via `_.template` from lodash). + ## 3.3.3 (2018-02-14) ### Bugfixes diff --git a/src/converse-core.js b/src/converse-core.js index 37cdba557..b2c7a1102 100644 --- a/src/converse-core.js +++ b/src/converse-core.js @@ -20,7 +20,7 @@ "backbone.nativeview", "backbone.browserStorage" ], factory); -}(this, function (sizzle, Promise, _, f, polyfill, i18n, utils, moment, Strophe, pluggable, Backbone) { +}(this, function (sizzle, Promise, _, f, polyfill, i18n, u, moment, Strophe, pluggable, Backbone) { /* Cannot use this due to Safari bug. * See https://github.com/jcbrand/converse.js/issues/196 @@ -217,7 +217,7 @@ /* Private function, used to add a new promise to the ones already * available via the `waitUntil` api method. */ - _converse.promises[promise] = utils.getResolveablePromise(); + _converse.promises[promise] = u.getResolveablePromise(); } _converse.emit = function (name) { @@ -235,7 +235,7 @@ _converse.initialize = function (settings, callback) { "use strict"; settings = !_.isUndefined(settings) ? settings : {}; - const init_promise = utils.getResolveablePromise(); + const init_promise = u.getResolveablePromise(); _.each(PROMISES, addPromise); @@ -617,7 +617,7 @@ this.initStatus = () => new Promise((resolve, reject) => { - const promise = new utils.getResolveablePromise(); + const promise = new u.getResolveablePromise(); this.xmppstatus = new this.XMPPStatus(); const id = b64_sha1(`converse.xmppstatus-${_converse.bare_jid}`); this.xmppstatus.id = id; // Appears to be necessary for backbone.browserStorage @@ -1142,7 +1142,7 @@ }, isSelf (jid) { - return utils.isSameBareJID(jid, _converse.connection.jid); + return u.isSameBareJID(jid, _converse.connection.jid); }, addAndSubscribe (jid, name, groups, message, attributes) { @@ -1862,7 +1862,7 @@ i18n.fetchTranslations( _converse.locale, _converse.locales, - _.template(_converse.locales_url)({'locale': _converse.locale})) + u.interpolate(_converse.locales_url, {'locale': _converse.locale})) .catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL)) .then(finishInitialization) .catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL)); @@ -1921,9 +1921,9 @@ }, 'settings': { 'update' (settings) { - utils.merge(_converse.default_settings, settings); - utils.merge(_converse, settings); - utils.applyUserSettings(_converse, settings, _converse.user_settings); + u.merge(_converse.default_settings, settings); + u.merge(_converse, settings); + u.applyUserSettings(_converse, settings, _converse.user_settings); }, 'get' (key) { if (_.includes(_.keys(_converse.default_settings), key)) { @@ -2045,7 +2045,7 @@ 'b64_sha1': b64_sha1, 'moment': moment, 'sizzle': sizzle, - 'utils': utils + 'utils': u } }; window.dispatchEvent(new Event('converse-loaded')); diff --git a/src/utils.js b/src/utils.js index af2423ef7..4b5278a2c 100644 --- a/src/utils.js +++ b/src/utils.js @@ -646,6 +646,14 @@ return promise; }; + u.interpolate = function (string, o) { + return string.replace(/{{{([^{}]*)}}}/g, + (a, b) => { + var r = o[b]; + return typeof r === 'string' || typeof r === 'number' ? r : a; + }); + }; + u.safeSave = function (model, attributes) { if (u.isPersistableModel(model)) { model.save(attributes);