JavaScript template library that doesn't use eval/new Function

前端 未结 10 1232
抹茶落季
抹茶落季 2021-02-05 17:52

Google Chrome extensions using manifest_version: 2 are restricted from using eval or new Function. All of the JavaScript templating librar

相关标签:
10条回答
  • 2021-02-05 18:36

    Closure Templates is a templating library that does not use eval. Templates are compiled to JavaScript ahead of time, so that what gets included in your app is a plain .js file that should not run into CSP issues.

    0 讨论(0)
  • 2021-02-05 18:37

    Maybe you can write a function eval1:

    function eval1(blah) {
        var s = document.createElement("script");
        s.src = blah;
        document.head.appendChild(s);
        document.head.removeChild(s);
    }
    

    and do a find/replace in the library you want, but that'd be cheating, right?

    0 讨论(0)
  • 2021-02-05 18:42

    It turns out that mustachejs added new Function recently and using tag 0.4.2 doesn't have it. It the API is slightly different with Mustache.to_html instead of Mustache.render and there are likely some performance reduction.

    I opened an issue to potentially get new Function removed in a future release.

    0 讨论(0)
  • 2021-02-05 18:43

    https://developer.chrome.com/extensions/sandboxingEval

    Not sure when it was added, but you can do Firefox style sandboxing in Chrome now. I'm porting my Firefox extension, so I need this (since I don't have evalInSandbox :P)

    0 讨论(0)
提交回复
热议问题