JavaScript template library that doesn't use eval/new Function

Question

Google Chrome extensions using manifest_version: 2 are restricted from using eval or new Function. All of the JavaScript templating librar

Answer 1

Closure Templates is a templating library that does not use eval. Templates are compiled to JavaScript ahead of time, so that what gets included in your app is a plain .js file that should not run into CSP issues.

Answer 2

Maybe you can write a function eval1:

function eval1(blah) {
    var s = document.createElement("script");
    s.src = blah;
    document.head.appendChild(s);
    document.head.removeChild(s);
}

and do a find/replace in the library you want, but that'd be cheating, right?

Answer 3

It turns out that mustachejs added new Function recently and using tag 0.4.2 doesn't have it. It the API is slightly different with Mustache.to_html instead of Mustache.render and there are likely some performance reduction.

I opened an issue to potentially get new Function removed in a future release.

Answer 4

https://developer.chrome.com/extensions/sandboxingEval

Not sure when it was added, but you can do Firefox style sandboxing in Chrome now. I'm porting my Firefox extension, so I need this (since I don't have evalInSandbox :P)