Lines 999-1039javascript
1000 * Compile an inline-body string into a handler function whose single
1001 * parameter is `e` (the event detail object). Uses the same dynamic
1002 * `Function(...)` constructor that browsers use internally for inline
1003 * event-handler attributes such as `<a onclick="...">`; the input here
1004 * is consumer-authored markup, never network data, so the surface is
1005 * exactly that of an inline event-handler attribute and the same CSP
1006 * caveats apply (strict CSP without `'unsafe-eval'` blocks it). A
1007 * `//# sourceURL=jssm-on:N` pragma is appended so devtools stack traces
1008 * point at a meaningful name.
1010 * @param body - The inline JS body (function body, not full function).
1011 * @param source_id - A short identifier for the sourceURL pragma.
1012 * @returns The compiled handler.
1014function compile_inline_body(body, source_id) {
1015 const wrapped = `${body}\n//# sourceURL=jssm-on:${source_id}`;
1016 // The Function constructor is intentional here — see the docblock above
1017 // for the rationale and the CSP caveat. Equivalent to how browsers wire
1018 // up inline event handlers; the input is consumer-authored markup.
1019 // eslint-disable-next-line @typescript-eslint/no-implied-eval, no-new-func
1020 return new Function('e', wrapped); // skipcq: JS-0086
1021}
LowEval
Package source references a known benign dynamic code generation pattern.
dist/wc/instance.jsView on unpkg · L1019 1023 * Resolve a `<jssm-instance>`'s FSL source from the three legal channels:
1024 * the `fsl=""` attribute, a child `<script type="text/fsl">`, and the
1025 * element's own text content (after stripping the script and any
1026 * `<jssm-*>` companion tags). Exactly one channel may be used; using
1027 * none or more than one is an error.
1029 * Pulled out as a pure function so it's testable without spinning up a
1033 * const div = document.createElement('div');
1034 * div.setAttribute('fsl', 'Off -> On;');
1035 * resolve_fsl_source(div as HTMLElement, 'Off -> On;');
1036 * // => { fsl: 'Off -> On;', provided_count: 1, error: undefined }
1039 * @param host - The `<jssm-instance>` element being resolved.