Security issue in webix 6.0.1

pravingorad · July 2, 2025, 10:07am

Issue Summary:
We have identified a Content Security Policy (CSP) violation related to the use of eval() within the Webix library.
CSP Directive Violated: script-src
Blocked Resource: eval in webix.js

Code Reference:
function toFunctor(str, scope) {
if (typeof str == “string”) {
var method = str.replace(“()”, “”);
if (scope && scope[method]) return scope[method];
return window[method] || window.eval(str); // ← CSP violation
}
return str;
}

Security Impact:
Our current CSP configuration does not allow ‘unsafe-eval’, as it significantly reduces browser-side security and increases the risk of XSS vulnerabilities.
As a result, any use of eval() is blocked by the browser, which leads to runtime issues and repeated CSP violation reports during application usage.

Mari · July 7, 2025, 11:18am

Good day @pravingorad ,
The Webix UI library provides an option to enable the “strict” mode ( available in the old Webix versions too ), which doesn’t make use of eval and other inline handlers. Strict mode can be enabled by defining a “webix_strict” global variable before Webix files are included into the page:

<script>
window.webix_strict = true;
</script>
<script src="../webix.js" type="text/javascript"></script>
<link rel="stylesheet" href="../webix.css" type="text/css">