Code of scheduler really uses eval for json parsing. It can be easily changed to JSON.parse, but there are some other places where Scheduler uses non CSP compatible code.
We have CSP compatibility as long term goal, but I can’t provide any fixed date, when it will be avialble.
On side note, CSP mode doesn’t prevent XSS attacks, it just closes the most common sources of XSS. If data from client side not xss filtered before storing in the database then there is still a space for XSS attack.
A real downer because were looking forward to using scheduler as well as the dhtmlxsuite.
How can I keep the security guys happy ?
dhtmlxScheduler uses “eval” for json parsing only.
if you are using strict json and do not plan to use old version of IE we can provide build of dhtmlxScheduler without “eval”.
By the way, usage of “eval” is safe when you are using it against controlled data source ( data feed from your own server is a controlled data source )
can you provide the build without eval? We would like to use your scheduler, but cannot change our CSP.
Thanks and best regards
There is no separate build, but you can solve it using
Just add this file to the page after
dhtmlxscheduler.js and it will override any unsafe code.
As a result, everything should work fine, no other functionality of the scheduler should be affected.