Content Security Policy and eval | WordPress.org

Resolved doob8
(@doob8)

8 years, 10 months ago

Hi there,

PHPEnkoder ist one of my favorite plugins for WordPress. Unfortunately it has one flaw that could cause security issues: The eval-statement to process the encrypted strings.

It is a very good security enhancement to enable Content Security Policy in .htaccess. But for PHPEnkoder one has to weaken the XSS-scripting protection by allowing unsafe-eval explicitly.

It would be great if an future version gets rid of any eval-javascript-command to allow website hardening via Content Security Policy properly.

What do you think?

https://wordpress.org/plugins/php-enkoder/

Viewing 1 replies (of 1 total)

Plugin Author michael_greenberg
(@michael_greenberg)

8 years, 10 months ago

The point of using eval is that it forces clients to have a full JS implementation (and to do some computational work) to get the email address out. This project started well before HTML5 and Content Security Policies were a thing.

I’ve thought about forcing the client to decrypt the email in some computationally intensive way, instead of using eval. But, to be honest, making that change isn’t a high priority for me. I am, of course, open to patches!

Viewing 1 replies (of 1 total)

The topic ‘Content Security Policy and eval’ is closed to new replies.

In: Plugins
1 reply
2 participants
Last reply from: michael_greenberg
Last activity: 8 years, 10 months ago
Status: resolved