Webix and HP fortify scan

In my company all softwares are scanned, and webix has issues -
webix.js and webix-debug.js has “Dynamic Code Evaluation: Code Injection (Input Validation and Representation, Data Flow) - The file webix.js interprets unvalidated user input as source code on line 103. Interpreting user-controlled instructions at run-time can allow attackers to execute malicious code.” Until the software passes critical and high, I wont be able to use it. Many php file has Cross site scripting issues, but I can delete them so it is ok, but webix.js has to be fixed.

Hi,

Code of webix uses dynamic code evaluation to compile templates and date formatting helpers. In both cases, input values are not user-editable, so it must be XSS safe.

Also, you can enable strict mode, which will disable dynamic code
http://docs.webix.com/api__env_strict_other.html

Starting from Webix 5.x it will be a default behavior.

Thanks, Maksim. Any ball park release date for 5.x? Also, just want to be clear - if I scan webix 5.x, it won’t have the issues I mentioned , is that correct?

if I scan webix 5.x, it won’t have the issues I mentioned

There will be no “eval” and similar technics. I can’t guarantee that result code will confirm all “HP fortify” checks, though.

5.0 will be released in September 2017
You can use env.strict to enforce the same behavior in the existing codebase.

Thanks for the response. I’m new to this. To disable dynamic code as per (http://docs.webix.com/api__env_strict_other.html), where should I add “webix.env.strict = true;”? In my main html page where I import webix.js?
A sample code is greatly appreciated. Thank you.