Fix SonarQube security issues

zkoss · May 20, 2024 · dabba6a · dabba6a
1 parent 3ee32bf
commit dabba6a
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 12 deletions.
diff --git a/zk/src/main/resources/web/js/zk/zk.ts b/zk/src/main/resources/web/js/zk/zk.ts
@@ -192,8 +192,9 @@ function regClass<S extends typeof ZKObject>(jclass: S): S {
 _zk.regClass = regClass;
 
 function defGet(nm: string): Getter {
-	// eslint-disable-next-line no-new-func
-	return new Function('return this.' + nm + ';');
+	return function (this: zk.Widget): unknown {
+		return this[nm];
+	};
 }
 function defSet00(nm: string): GeneratedSetter {
 	return function (v) {

diff --git a/zul/src/main/java/org/zkoss/zul/Datebox.java b/zul/src/main/java/org/zkoss/zul/Datebox.java
@@ -45,6 +45,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import org.zkoss.json.JavaScriptValue;
 import org.zkoss.lang.Library;
 import org.zkoss.lang.Objects;
 import org.zkoss.lang.Strings;
@@ -1122,7 +1123,7 @@ protected void renderProperties(org.zkoss.zk.ui.sys.ContentRenderer renderer) th
 
 		String unformater = getUnformater();
 		if (!Strings.isBlank(unformater))
-			renderer.render("unformater", unformater);
+			renderer.render("unformater", new JavaScriptValue(unformater));
 
 		if (_locale != null)
 			renderer.render("localizedSymbols", getRealSymbols(_locale, this));

diff --git a/zul/src/main/java/org/zkoss/zul/Timebox.java b/zul/src/main/java/org/zkoss/zul/Timebox.java
@@ -31,6 +31,7 @@
 import java.util.Map;
 import java.util.TimeZone;
 
+import org.zkoss.json.JavaScriptValue;
 import org.zkoss.lang.Library;
 import org.zkoss.lang.Objects;
 import org.zkoss.lang.Strings;
@@ -336,7 +337,7 @@ protected void renderProperties(org.zkoss.zk.ui.sys.ContentRenderer renderer) th
 
 		String unformater = getUnformater();
 		if (!Strings.isBlank(unformater))
-			renderer.render("unformater", unformater); // TODO: compress
+			renderer.render("unformater", new JavaScriptValue(unformater)); // TODO: compress
 
 		if (_locale != null)
 			renderer.render("localizedSymbols", getRealSymbols());

diff --git a/zul/src/main/resources/web/js/zul/db/Datebox.ts b/zul/src/main/resources/web/js/zul/db/Datebox.ts
@@ -296,12 +296,12 @@ export class Datebox extends zul.inp.FormatWidget<DateImpl> {
 	 * Sets the unformater function. This method is called from Server side.
 	 * @param unf - the unformater function
 	 */
-	setUnformater(unformater: string, opts?: Record<string, boolean>): this {
+	setUnformater(unformater: zul.db.Unformater, opts?: Record<string, boolean>): this {
 		const o = this._unformater;
-		this._unformater = unformater;
+		this._unformater = unformater.toString();
 
-		if (o !== unformater || opts?.force) {
-			eval('Datebox._unformater = ' + unformater); // eslint-disable-line no-eval
+		if (o !== this._unformater || opts?.force) {
+			Datebox._unformater = unformater;
 		}
 
 		return this;

diff --git a/zul/src/main/resources/web/js/zul/db/Timebox.ts b/zul/src/main/resources/web/js/zul/db/Timebox.ts
@@ -127,12 +127,12 @@ export class Timebox extends zul.inp.FormatWidget<DateImpl> {
 	 * Sets the unformater function. This method is called from Server side.
 	 * @param unformater - the unformater function
 	 */
-	setUnformater(unformater: string, opts?: Record<string, boolean>): this {
+	setUnformater(unformater: zul.db.Unformater, opts?: Record<string, boolean>): this {
 		const o = this._unformater;
-		this._unformater = unformater;
+		this._unformater = unformater.toString();
 
-		if (o !== unformater || opts?.force) {
-			eval('Timebox._unformater = ' + unformater); // eslint-disable-line no-eval
+		if (o !== this._unformater || opts?.force) {
+			Timebox._unformater = unformater;
 		}
 
 		return this;