Scripts within view are not evaluated about highway HOT 5 CLOSED

Dear @wassim,

Because of the danger of evaluating malicious code we can't allow a method to evaluate scripts in the core of Highway and we don't want to take responsibility of potential issues related to that. This means that for now the code evaluation will have to be done by yourself in the renderers of pages containing this kind of inline scripts within the onEnter method for example.

Here is a code sample that should do the work but be careful about the code you are evaluating:

onEnter() {
  const scripts = this.view.querySelectorAll('script');

  for (const script of scripts) {
    const code = script.innerText;

    if (code.length !== 0) {
      Function(code)();
    }
  }
}

You can read more about danger of evaluating code in the documentation about the eval method.

If you know a better and more secure way for evaluating inline scripts don't hesitate to tell us, we will be happy to implement this kind of behavior in the core of Highway if we are sure it's harmless for end-users.

Best regards,
Anthony

from highway.

@wassim Indeed we'll have to evaluate all scripts within the router-view HTML on navigation. We will look at it ASAP but for now you can use events and access the To renderer and the router-view and evaluate scripts by yourself.

from highway.

Why do you need script tags within the view ?
They should either be before the close body tag or in the head...

So I would say that yes this is done on purpose but maybe you have some good reasons.

from highway.

@Anthodpnt I'm using WordPress with Gravity Forms. The plugin is adding inline javascript next to forms. There is many plugins that do this sort of things.

from highway.

Hi @wassim, did you end up finding a secure solution to this issue? Trying to implement Gravity Forms with Highway and am curious how you solved this.

from highway.