Issue Summary:
We have identified a Content Security Policy (CSP) violation related to the use of eval() within the Webix library.
CSP Directive Violated: script-src
Blocked Resource: eval in webix.js
Code Reference:
function toFunctor(str, scope) {
if (typeof str == “string”) {
var method = str.replace(“()”, “”);
if (scope && scope[method]) return scope[method];
return window[method] || window.eval(str); // ← CSP violation
}
return str;
}
Security Impact:
Our current CSP configuration does not allow ‘unsafe-eval’, as it significantly reduces browser-side security and increases the risk of XSS vulnerabilities.
As a result, any use of eval() is blocked by the browser, which leads to runtime issues and repeated CSP violation reports during application usage.