Avoid "Function" constructor

Question

Avoid "Function" constructor

tdelmas opened this issue 4 years ago · comments

https://github.com/d3/d3-dsv/blob/master/src/dsv.js#L8

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function

The Function constructor is not allowed in browser context in browser context when a safe CSP is used (without unsafe-eval). For example it prevent the usage of Plotly with a safe CSP because it uses this package: plotly/plotly.js#897

https://github.com/d3/d3-dsv#content-security-policy

If a content security policy is in place, note that dsv.parse requires unsafe-eval in the script-src directive, due to the (safe) use of dynamic code generation for fast parsing. (See source.) Alternatively, use dsv.parseRows.

Maybe a replacement for dsv.parse (ex. dsv.parseSafe) should be given?

Mike Bostock · Answer 1 · Sun Feb 16 2020 22:23:42 GMT+0800 (China Standard Time)

I recommend using parseRows as suggested in the text you pasted from the README and a row function to turn the array of field values into an object.