Summary
Autocomplete callback currently executes callback text via eval().
Evidence
js/functions.js:593-595 in initSyslogAutocomplete():
if (onChange) {
eval(onChange);
}Risk
eval() increases client-side code execution risk and makes static security analysis harder.
Expected fix
Use function references or a whitelist/map of allowed callback names instead of eval().
Summary
Autocomplete callback currently executes callback text via
eval().Evidence
js/functions.js:593-595ininitSyslogAutocomplete():Risk
eval()increases client-side code execution risk and makes static security analysis harder.Expected fix
Use function references or a whitelist/map of allowed callback names instead of
eval().