cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

A note about expressions used in Expression and Validator widgets

BruceHulse
Regular Member

A note about expressions used in Expression and Validator widgets

I was having trouble building expressions for Expression and Validator widgets in Composer. I had a widget on the page named "name". I wanted to validate that the value was non-null, so I created a Validator widget and configured a parameter called NameValue. When I entered the expression [ NameValue!=="" ], Composer told me "You cannot use the eval function". After playing with it for quite some time, I discovered that composer appears to be doing a simple indexOf test for eval (as well as alert - there might be more). So the expression cannot contain any case form of eval or alert (Nam eVal ue). This also generates the error no matter where the string appears - [ GoodName==="NameValue" ] is also invalid to Composer.

5 REPLIES 5

Re: A note about expressions used in Expression and Validator widgets

Great find. I count this as a bug, albeit a very minor one.

Re: A note about expressions used in Expression and Validator widgets

I have an error too when the expression contains "for": "You cannot use for loops" !

I wanted to check if the name of the thing contains the word "form". There would be a lot more of restrictions when using Validator widget.

Re: A note about expressions used in Expression and Validator widgets

There's more reserved words which triggers it...

I usually end up doing something like this "You cannot use f"+"or loops". And for the first case, as we decide parameters names, I just change the name.

I think it's a non sense this check, should not be there at all.

Re: A note about expressions used in Expression and Validator widgets

I can appreciate preventing the use of the eval() function as it is an attack vector for hackers. But I do agree that the implementation should be doing a more thorough job of finding eval function calls and not just the string 'eval' somewhere in the expression.

I've opened C13159567 about this issue.

Re: A note about expressions used in Expression and Validator widgets

But you are not preventing eval at all, one can do a custom widget which executes it. If someone can enter on a Mashup and edit it, then it can do the eval thing for sure.

Announcements

Check out the upcoming Expert Session: Understanding ThingWorx Navigate Licensing in Community "Customer Events" section.