cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - If community subscription notifications are filling up your inbox you can set up a daily digest and get all your notifications in a single email. X

A note about expressions used in Expression and Validator widgets

BruceHulse
6-Contributor

A note about expressions used in Expression and Validator widgets

I was having trouble building expressions for Expression and Validator widgets in Composer. I had a widget on the page named "name". I wanted to validate that the value was non-null, so I created a Validator widget and configured a parameter called NameValue. When I entered the expression [ NameValue!=="" ], Composer told me "You cannot use the eval function". After playing with it for quite some time, I discovered that composer appears to be doing a simple indexOf test for eval (as well as alert - there might be more). So the expression cannot contain any case form of eval or alert (Nam eVal ue). This also generates the error no matter where the string appears - [ GoodName==="NameValue" ] is also invalid to Composer.

5 REPLIES 5

Great find. I count this as a bug, albeit a very minor one.

qngo
5-Regular Member
(To:BruceHulse)

I have an error too when the expression contains "for": "You cannot use for loops" !

I wanted to check if the name of the thing contains the word "form". There would be a lot more of restrictions when using Validator widget.

There's more reserved words which triggers it...

I usually end up doing something like this "You cannot use f"+"or loops". And for the first case, as we decide parameters names, I just change the name.

I think it's a non sense this check, should not be there at all.

BruceHulse
6-Contributor
(To:BruceHulse)

I can appreciate preventing the use of the eval() function as it is an attack vector for hackers. But I do agree that the implementation should be doing a more thorough job of finding eval function calls and not just the string 'eval' somewhere in the expression.

I've opened C13159567 about this issue.

But you are not preventing eval at all, one can do a custom widget which executes it. If someone can enter on a Mashup and edit it, then it can do the eval thing for sure.

Top Tags