0

I am getting a security error for the eval(). an error looks likes below.

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'sha256-P/4RbWZ5tavHlZH3S2JukJ4toJ9iLwFkiBGYsngpgqo=' 'sha256-i4JIH9RhDp81FOGH3ZwoQRt2R4uvOYyeOmkCZoX6HeY=' 'sha256-3VlFnxIhSKloUaebh7I+Yjnu9vwMuwGEuqykqBQQLNw=' 'sha256-GHjvsztQyqr0koa6RWaeYUhRgrR/WcXa+NGlCwEpcLY=' 'sha256-3W2JH/z3DpHtF9okrA6TIFaJ6wFrL4gfTXfK5fjo1V0=' ssl.google-analytics.com

Below is my JS code.

eval(function (p, a, c, k, e, r) {
    e = function (c) {
        return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    };
    if (!''.replace(/^/, String)) {
        while (c--) r[e(c)] = k[c] || e(c);
        k = [function (e) {
            return r[e]
        }];
        e = function () {
            return '\\w+'
        };
        c = 1
    };
    while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
    return p
}('3(7.X){7["R"+a]=a;7["z"+a]=6(){7["R"+a](7.1k)};7.X("1e",7["z"+a])}E{7.19("z",a,15)}2 j=H V();6 a(){2 e=q.1d("1a");3(e){o(e,"P");2 N=B(q,"*","14");3((e.12<=10)||(N=="")){c(e,"P",d)}}4=B(q,"*","1n");k(i=0;i<4.b;i++){3(4[i].F=="1g"||4[i].F=="1f"||4[i].F=="1c"){4[i].1b=6(){r();c(v.5.5,"f",d)};4[i].O=6(){r();c(v.5.5,"f",d)};j.D(j.b,0,4[i])}E{4[i].O=6(){r();c(v.5.5,"f",d)};4[i].18=6(){o(v.5.5,"f")}}}2 C=17.16.13();2 A=q.M("11");3(C.K("J")+1){c(A[0],"J",d)}3(C.K("I")+1){c(A[0],"I",d)}}6 r(){k(2 i=0;i<j.b;i++){o(j[i].5.5,"f")}}6 B(m,y,w){2 x=(y=="*"&&m.Y)?m.Y:m.M(y);2 G=H V();w=w.1m(/\\-/g,"\\\\-");2 L=H 1l("(^|\\\\s)"+w+"(\\\\s|$)");2 n;k(2 i=0;i<x.b;i++){n=x[i];3(L.1j(n.8)){G.1i(n)}}1h(G)}6 o(p,T){3(p.8){2 h=p.8.Z(" ");2 U=T.t();k(2 i=0;i<h.b;i++){3(h[i].t()==U){h.D(i,1);i--}}p.8=h.S(" ")}}6 c(l,u,Q){3(l.8){2 9=l.8.Z(" ");3(Q){2 W=u.t();k(2 i=0;i<9.b;i++){3(9[i].t()==W){9.D(i,1);i--}}}9[9.b]=u;l.8=9.S(" ")}E{l.8=u}}', 62, 86, '||var|if|elements|parentNode|function|window|className|_16|initialize|length|addClassName|true|_1|highlighted||_10||el_array|for|_13|_6|_c|removeClassName|_e|document|safari_reset||toUpperCase|_14|this|_8|_9|_7|load|_4|getElementsByClassName|_3|splice|else|type|_a|new|firefox|safari|indexOf|_b|getElementsByTagName|_2|onfocus|no_guidelines|_15|event_load|join|_f|_11|Array|_17|attachEvent|all|split|450|body|offsetWidth|toLowerCase|guidelines|false|userAgent|navigator|onblur|addEventListener|main_body|onclick|file|getElementById|onload|radio|checkbox|return|push|test|event|RegExp|replace|element'.split('|'), 0, {}))

I am not much familiar with JS and CSP errors. can anyone help me with how to change this eval function?

Any help would be appreciated! Thanks :)

Rory McCrossan
  • 331,213
  • 40
  • 305
  • 339
Chirag Patel
  • 187
  • 2
  • 17
  • 2
    `Below is my JS code.` what does it do? – Jaromanda X Jun 29 '21 at 10:16
  • 4
    This looks like obfuscated packed code so why would you want to convert it? – mplungjan Jun 29 '21 at 10:16
  • 1
    *"...how to convert code using a eval() to using Function()?"* That's only very marginally safer than `eval`. Any tool complaining about `eval` will likely complain about `new Function`. – T.J. Crowder Jun 29 '21 at 10:17
  • More context is needed here. Consider checking [this issue](https://github.com/exceljs/exceljs/issues/713) for possible workarounds. – raina77ow Jun 29 '21 at 10:20
  • Why is this tagged HTML and PHP? Even jQuery seems irrelevant. – Rory McCrossan Jun 29 '21 at 10:23
  • 1
    if you want to allow your JS code to run on your website, simply update your *Content Security Policy directive* to include `unsafe-eval` - or don't obfuscate your code in the first place – Jaromanda X Jun 29 '21 at 10:25
  • @RoryMcCrossan - jQuery has been irrelevant for years :p – Jaromanda X Jun 29 '21 at 10:30
  • @JaromandaX thanks. but is it secure to add `unsafe-eval`? because I have checked in CSP document it is showing it is dangerous to use eval. – Chirag Patel Jun 29 '21 at 10:30
  • So remove your packing and your eval will disappear – mplungjan Jun 29 '21 at 10:32
  • @ChiragPatel - I suggested two alternatives - it's not like that code is anything that requires obfuscating! I'm reading it now and I'm thinking, why did you bother trying to obfuscate that code? – Jaromanda X Jun 29 '21 at 10:33
  • @mplungjan Thanks, do you mean that this error is showing due to a packed file. there is no error in the code right? I have unpacked my js using this http://matthewfl.com/unPacker.html and js code looks totally different. can you provide some more information related to this packaging js? why we use it? is it required to pack? any documentation can you share so can review it. – Chirag Patel Jun 29 '21 at 10:45
  • https://www.google.com/search?q=packed+OR+packer+javascript+site%3Astackoverflow.com – mplungjan Jun 29 '21 at 11:02
  • https://stackoverflow.com/questions/3158869/javascript-packer-versus-minifier – mplungjan Jun 29 '21 at 11:04
  • ESPECIALLY THIS: https://stackoverflow.com/a/24680035/295783 – mplungjan Jun 29 '21 at 11:05
  • Thanks to all :) – Chirag Patel Jun 29 '21 at 12:54

0 Answers0