Improper neutralization of directives in dynamically evaluated code ('Eval Injection')

File: web/core/misc/time-diff.js:110-119

const refreshInterval = Drupal.timeDiff.refreshInterval(
          timeDiff.value,
          timeDiffSettings.refresh,
          timeDiffSettings.granularity,
        );
        clearTimeout(timers.get(timeElement));
        timers.set(
          timeElement,
          setTimeout(Drupal.timeDiff.show, refreshInterval * 1000, timeElement),
        );

Description: User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection
Tool: SAST
Scanner: Semgrep

Identifiers

• CWE-95
• NodeJS Scan ID javascript-eval-rule-eval_nodejs
• A1:2017 - Injection
• A03:2021 - Injection
• nodejs_scan.javascript-eval-rule-eval_nodejs