erp5_officejs: getting rid of eval in action handling

d37bafac · Roque · 760eb593 · d37bafac · d37bafac · d37bafac
Commit d37bafac authored Apr 23, 2019 by Roque
3 changed files
--- a/bt5/erp5_officejs/PathTemplateItem/web_page_module/gadget_officejs_discussion_tool_appcache.xml
+++ b/bt5/erp5_officejs/PathTemplateItem/web_page_module/gadget_officejs_discussion_tool_appcache.xml
@@ -229,6 +229,10 @@ gadget_officejs_form_view.html\n
 gadget_officejs_form_view.js\n
 gadget_erp5_page_handle_action.html\n
 gadget_erp5_page_handle_action.js\n
+gadget_field_new_action_js_script.html\n
+gadget_field_new_action_js_script.js\n
+gadget_field_reply_action_js_script.html\n
+gadget_field_reply_action_js_script.js\n
 \n
 #needed for appcachestorage sync\n
 /\n
@@ -738,7 +742,7 @@ NETWORK:\n
            </item>
            <item>
                <key> <string>serial</string> </key>
-                <value> <string>975.7925.35634.50875</string> </value>
+                <value> <string>975.15178.25005.32409</string> </value>
            </item>
            <item>
                <key> <string>state</string> </key>
@@ -756,7 +760,7 @@ NETWORK:\n
                    </tuple>
                    <state>
                      <tuple>
-                        <float>1555618417.31</float>
+                        <float>1556053135.7</float>
                        <string>UTC</string>
                      </tuple>
                    </state>

--- a/bt5/erp5_officejs/PathTemplateItem/web_page_module/gadget_officejs_page_handle_action_js.js
+++ b/bt5/erp5_officejs/PathTemplateItem/web_page_module/gadget_officejs_page_handle_action_js.js
-/*global window, rJS, RSVP */
+/*global window, document, rJS, RSVP */
 /*jslint nomen: true, indent: 2, maxerr: 3 */
 /*jslint evil: true */
-(function (window, rJS, RSVP) {
+(function (window, document, rJS, RSVP) {
  "use strict";
  var gadget_utils, action_reference, action_type, action_gadget;
@@ -24,7 +24,7 @@
    /////////////////////////////////////////////////////////////////
    .declareMethod("render", function (options) {
-      var gadget = this, parent_portal_type, action_code;
+      var gadget = this, parent_portal_type, action_gadget_url;
      return RSVP.Queue()
        .push(function () {
          return RSVP.all([
@@ -44,13 +44,16 @@
            .push(function (form_definition) {
              if (action_type === "object_jio_js_script") {
                if (form_definition.fields_raw_properties.hasOwnProperty("gadget_field_action_js_script")) {
-                  // eval must be removed. use loaded action gadget from gadgetfield
+                  action_gadget_url = form_definition.fields_raw_properties.gadget_field_action_js_script.values.gadget_url;
-                  action_code = form_definition.fields_raw_properties.gadget_field_action_js_script.values.renderjs_extra[0];
+                  var fragment = document.createElement('div');
-                  return window.eval.call(window, '(function (gadget, gadget_utils, options, action_reference, parent_portal_type, form_definition, submit_code) {' + action_code[0] + '})')(gadget, gadget_utils, options, action_reference, parent_portal_type, form_definition, action_code[1]);
+                  gadget.element.appendChild(fragment);
-                  return form.getDeclaredGadget('gadget_field_action_js_script')
+                  return gadget.declareGadget(action_gadget_url, {
+                    scope: "action_field",
+                    element: fragment
+                  })
                    .push(function (declared_gadget) {
                      action_gadget = declared_gadget;
-                      action_gadget.handleRender(gadget, gadget_utils, options, action_reference, parent_portal_type, form_definition);
+                      return action_gadget.handleRender(gadget, gadget_utils, options, action_reference, parent_portal_type, form_definition);
                    });
                } else {
                  throw "Field 'gadget_field_action_js_script' missing in action form. Please check '" + action_reference + "' action configuration.";
@@ -82,9 +85,7 @@
        content_dict = options[2],
        submit_code = gadget.state.submit_code;
      if (action_type === "object_jio_js_script") {
-        // eval must be removed. use loaded action gadget from gadgetfield
-        return window.eval.call(window, '(function (gadget, gadget_utils, jio_key, content_dict) {' + submit_code + '})')(gadget, gadget_utils, jio_key, content_dict);
        action_gadget.handleSubmit(gadget, gadget_utils, jio_key, content_dict);
      }
    });
-}(window, rJS, RSVP));
+}(window, document, rJS, RSVP));
--- a/bt5/erp5_officejs/PathTemplateItem/web_page_module/gadget_officejs_page_handle_action_js.xml
+++ b/bt5/erp5_officejs/PathTemplateItem/web_page_module/gadget_officejs_page_handle_action_js.xml
@@ -269,7 +269,7 @@
            </item>
            <item>
                <key> <string>serial</string> </key>
-                <value> <string>975.13563.49723.204</string> </value>
+                <value> <string>975.15167.546.1297</string> </value>
            </item>
            <item>
                <key> <string>state</string> </key>
@@ -287,7 +287,7 @@
                    </tuple>
                    <state>
                      <tuple>
-                        <float>1555958089.16</float>
+                        <float>1556052425.93</float>
                        <string>UTC</string>
                      </tuple>
                    </state>