On Tue, 29 Dec 2020 at 21:37, sebb <seb...@gmail.com> wrote: > > On Tue, 29 Dec 2020 at 19:37, Sam Ruby <ru...@intertwingly.net> wrote: > > > > First, a link to the line of code in question: > > > > https://github.com/apache/whimsy/blob/9b1bd40e277969936f7b8138efb70b0ef28416f6/www/roster/views/committers.html.rb#L28 > > > > Questions: is this still necessary, or is is moot given the direction to > > make ICLAs private? > The code can/will probably be removed, but in any case ruby2js ideally > should not crash. > > If necessary, can it be done via an @variable > > rather than backtics?
I have moved the variable setup to main.rb, so it no longer causes a crash. But the links are only usable for the secretarial team. > > > > --- > > > > Background. Prior to Ruby 2.7, with $SAFE and taint support, one could > > detect whether a given string contained unverified user input. Starting > > with Ruby 2.7, this became impossible. > > > > Ruby2JS has the ability to evaluate an arbitrary string in the host > > context, which could be very unsafe (consider "system rm -rf /"). I > > made a change to only allow this if a binding is specified as an option > > (not recommended, but possible). > > > > https://github.com/ruby2js/ruby2js/commit/704f1a5c20485414f1831938b0a4364a83fa1538 > > > > I did this only after scanning all of the whimsy .js.rb files. What I > > missed is that this was used in an html file with an embedded script. > > > > If this is still necessary, I would recommend it be done by evaluating a > > host instance variable (@ivar) rather than evaluating an arbitrary > > method call. > > > > --- > > > > Footnote: if you view source on > > https://whimsy.apache.org/roster/committee/whimsy and scroll to the > > bottom, you can see instance variables expanded (you will see, for > > example, auth with your id). > > If, however, you view source on > > https://whimsy.apache.org/roster/committer/, you will see icla path > > evaluated, but will not see that notinavail expanded (instead you will > > see this._notinavail, i.e., evaluation of an instance variable inside of > > a JavaScript class). I'm not sure yet what is going on here. > > > > - Sam Ruby > >
