Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Precompile jsrender templates to avoid unsafe-eval
See original GitHub issueFor implementing our Content Security Policy I would like to avoid any code that uses eval() or new Function, so that I don’t have to add unsafe-eval to the CSP. However, JsRender uses new Function to compile templates.
Is there a way to avoid this or work around it? Is it on the JsRender roadmap?
Note: I was thinking of solving this by precompiling our templates on the server (something like http://handlebarsjs.com/precompilation.html), so that I only need to render on the client. When I examine the code, it looks like I could make it work by serializing the compiled template (i.e., the result of calling compileTmpl), including all its subtemplates, to a JSON-string on the server, putting that in a <script> tag and then use that to render.
One of the issues I’m running into with this approach, is that the compiled templates also contain a reference to a render function, which is internal to JsRender. I would have to expose it to be able to use it on the client, I think.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:2
- Comments:14 (8 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi, I know this issue is closed but we need to have JSRender work with precompiled version of templates in a CSP environment with no eval() or new Function(). Adding this to a future release will help our project a lot.
No plan for the moment. (Although we may re-consider this in the future…). See also the discussion here.