Replace "new Function" with safe javascript code

extesy · Oct 24, 2021 · 98a6d97 · 98a6d97
1 parent 4269441
commit 98a6d97
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 5 deletions.
diff --git a/plugins/duckduckgo.js b/plugins/duckduckgo.js
@@ -160,7 +160,11 @@ hoverZoomPlugins.push({
         // Return JSON object corresponding to path, without using the Evil eval
         // path syntax: [key1][key2][key3]...
         function getObjectFromPath(objJson, path) {
-            return new Function('return ' + JSON.stringify(objJson) + path)();
+            if (!path || path.length < 4) return objJson;
+            const keys = path.substr(2, path.length-4).split('"]["');
+            let result = objJson;
+            keys.forEach(key => result = result[key]);
+            return result;
         }
 
         //        src: https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ftse1.mm.bing.net%2Fth%3Fid%3DOIP.7U2iajPXuu6D4PSvAoI1wQHaFu%26pid%3DApi&f=1

diff --git a/plugins/flickr.js b/plugins/flickr.js
@@ -211,7 +211,11 @@ hoverZoomPlugins.push({
         // Return JSON object corresponding to path, without using the Evil eval
         // path syntax: [key1][key2][key3]...
         function getObjectFromPath(objJson, path) {
-            return new Function('return ' + JSON.stringify(objJson) + path)();
+            if (!path || path.length < 4) return objJson;
+            const keys = path.substr(2, path.length-4).split('"]["');
+            let result = objJson;
+            keys.forEach(key => result = result[key]);
+            return result;
         }
 
         // Find node with good id
@@ -518,4 +522,4 @@ hoverZoomPlugins.push({
         callback($(res), name);
     }
 
-});
+});
diff --git a/plugins/qwant.js b/plugins/qwant.js
@@ -106,7 +106,11 @@ hoverZoomPlugins.push({
         // Return JSON object corresponding to path, without using the Evil eval
         // path syntax: [key1][key2][key3]...
         function getObjectFromPath(objJson, path) {
-            return new Function('return ' + JSON.stringify(objJson) + path)();
+            if (!path || path.length < 4) return objJson;
+            const keys = path.substr(2, path.length-4).split('"]["');
+            let result = objJson;
+            keys.forEach(key => result = result[key]);
+            return result;
         }
 
         function cleanUrl(url) {

diff --git a/plugins/sogou.js b/plugins/sogou.js
@@ -160,7 +160,11 @@ hoverZoomPlugins.push({
         // Return JSON object corresponding to path, without using the Evil eval
         // path syntax: [key1][key2][key3]...
         function getObjectFromPath(objJson, path) {
-            return new Function('return ' + JSON.stringify(objJson) + path)();
+            if (!path || path.length < 4) return objJson;
+            const keys = path.substr(2, path.length-4).split('"]["');
+            let result = objJson;
+            keys.forEach(key => result = result[key]);
+            return result;
         }
 
         // return true if thumbnail found among internal data from Sogou