Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If this doesn’t use a compiler, the ”when” feature looks like it will require 'unsafe-eval' and potentially 'unsafe-inline' to be enabled in content security policy, which will disable browser XSS protections. Not optimal for an easy-to-use component system intended for display of remote data.

Edit: I don’t see a CSP on the dogfooded homepage so I would assume this is an issue.



XMLUI does not execute JavaScript with "eval" or anything that would not comply with CSP. It runs interpreted JavaScript asynchronously in a sandbox and does not allow use of "eval" (and another dozen low-level functions, such as setTimeout).


So the project has implemented a custom JavaScript parser and evaluator in TypeScript?


that is insane.


Just ship https://github.com/NeilFraser/JS-Interpreter and you’re good to go! /s


As a follow-up: Angular actually did this! https://docs.angularjs.org/guide/expression

> AngularJS does not use JavaScript's eval() to evaluate expressions. Instead AngularJS's $parse service processes these expressions.


Note that those are the AngularJS aka ”Angular 1” docs.

For Angular as in ”Angular 2” docs, see https://angular.dev/guide/templates/expression-syntax


Looks like they actually went this route, but implemented it from scratch.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: