CSP: Webpack-Build use eval function to execute the plugin

Created on 11 April 2024, 8 months ago
Updated 24 May 2024, 6 months ago

Problem/Motivation

CKEditor Abbreviation use eval in its webpack build to execute the plugin.
I am running all sites with a strict Content Security Policy and try to avoid unsafe-inline and unsafe-eval policies.

There are several lines like this:

eval('__webpack_require__.r(__webpack_exports__);\n/* harmony export */ __webpack_require__.d(__webpack_exports__, {\n/* harmony export */   "default": () => (/* binding */ Abbreviation)\n/* harmony export */ });\n/* harmony import */ var ckeditor5_src_core__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! ckeditor5/src/core */ "ckeditor5/src/core.js");\n/* harmony import */ var _abbreviationediting__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(/*! ./abbreviationediting */ "./js/ckeditor5_plugins/abbreviation/src/abbreviationediting.js");\n/* harmony import */ var _abbreviationui__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(/*! ./abbreviationui */ "./js/ckeditor5_plugins/abbreviation/src/abbreviationui.js");\n\n\n\n\nclass Abbreviation extends ckeditor5_src_core__WEBPACK_IMPORTED_MODULE_0__.Plugin {\n\tstatic get requires() {\n\t\treturn [ _abbreviationediting__WEBPACK_IMPORTED_MODULE_1__["default"], _abbreviationui__WEBPACK_IMPORTED_MODULE_2__["default"] ];\n\t}\n}\n\n//# sourceURL=webpack://CKEditor5.abbreviation/./js/ckeditor5_plugins/abbreviation/src/abbreviation.js?')

Steps to reproduce

  1. Download and enable drupal.org/project/csp (script-src)
  2. Download and enable CKEditor Abbreviation
  3. Try to add a node and watch the browser is blocking the execution of the hole CKEditor

Proposed resolution

Do a javascript build without eval usage.

🐛 Bug report
Status

Fixed

Version

4.0

Component

Code

Created by

🇩🇪Germany sunlix Wesel

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024