codestop-dom-proof - npm Package Compare versions

Comparing version 1.0.6 to 1.0.7

lib/proof.js

@@ -17,15 +17,35 @@ const cheerio = require('cheerio');
 
-    static async initialize(html, css) {
-        try {
-            const HTML = new HTMLLoader(html);
-            if (css) {
-                await HTML.addExternalCSS(css);
-            }
+    static async initialize(html, css, withScript = false) {
+        if (withScript) {
+            return Proof.initializeWithScript(html, css);
+        }
 
-            await HTML.load();
+        const HTML = new HTMLLoader(html);
+        if (css) {
+            await HTML.addExternalCSS(css);
+        }
 
-            return new Proof(HTML);
-        } catch(e) {
-            throw e;
+        await HTML.load();
+
+        return new Proof(HTML);
+    }
+
+    static async initializeWithScript(html, css) {
+        const HTML = new HTMLLoader(html);
+
+        if (css) {
+            await HTML.addExternalCSS(css);
         }
+
+        await HTML.load(true);
+
+        const jsPath = await Proof.loadScript(HTML.serialize());
+
+        if (jsPath) { // We have a JS file
+            const jsProof = await JSProof.default(jsPath);
+
+            return new Proof(HTML, jsProof);
+        }
+
+        return new Proof(HTML);
     }
@@ -37,13 +57,5 @@
 
-    async loadScript() {
-        const script = this.getScript();
+    static async loadScript(html) {
+        const script = Proof.getScript(html);
 
-        // Evaluate the JS file so it will not load the JS Proof file if it can't evaluate it.
-        try {
-            eval(script);
-        } catch(e) {
-            // Rethrow the error message only to hide our library from the user.
-            throw e.message;
-        }
-
         if (script && script.trim()) {
@@ -54,7 +66,7 @@ const file = await tmp.file();
 
-            this.js = await JSProof.default(file.path);
+            return file.path;
         }
     }
-    getScript() {
-        const ch = cheerio.load(this.html.serialize());
+    static getScript(html) {
+        const ch = cheerio.load(html);
         return ch.root().find('script').html();
@@ -61,0 +73,0 @@ }

package.json

 {
   "name": "codestop-dom-proof",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "",
@@ -21,3 +21,3 @@ "main": "index.js",
     "cheerio": "^1.0.0-rc.2",
-    "codestop-css-proof": "^1.0.8",
+    "codestop-css-proof": "^1.0.10",
     "codestop-js-proof": "^1.0",
@@ -24,0 +24,0 @@ "tmp": "0.0.33",

Fixed alerts

Uses eval

Supply chain risk

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

2390

increased by9.03%

Lines of code

54

increased by10.2%

Number of medium supply chain risk alerts

0

decreased by-100%

Dependency changes

• Updatedcodestop-css-proof@^1.0.10