formio.js: [BUG] formio.js requires unsafe-eval tag to operate

Environment

Please provide as many details as you can: Adding CSP headers will raise an error and forms won’t render: image

Which refers to: https://github.com/EventEmitter2/EventEmitter2/blob/master/lib/eventemitter2.js#L306

  • Hosting type
    • Form.io
    • Local deployment
      • Version: Nginx 1.7.8
  • Formio.js version: 4.9.26
  • Vue-Formio version: 4.0.2
  • Frontend framework: VueJS 2.6.11
  • Browser: Chrome
  • Browser version: 81.0.4044.138

Steps to Reproduce

  1. Apply CSP headers without unsafe-eval tag
  2. Run the environment

Expected behavior

I guess formio should work without unsafe-eval tag.

Observed behavior

It does not.

So, I just wonder if this is fixable by using some other library.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 2
  • Comments: 19 (8 by maintainers)

Most upvoted comments

The 5.x branch is under development now but has a lot more features to be completed first. We are looking at around the end of the year for a release of it.

+2
randallknutson on Aug 3, 2020

You can turn off unsafe-eval for a web page and most of the form.io functionality will still work. There are some places where you can write custom javascript (such as default values and custom conditionals) that will not work if you do that but the system is designed to degrade gracefully and just not execute the javascript if that is the case.

We are finishing up some new functionality in the next major version that will allow configuring almost any contitional, validation and other functionality without needing to write any javascript. This should nearly completely remove the need for eval at all.

+1
randallknutson on May 28, 2020
Read more comments on GitHub
← formio.js: [BUG] FormBuilder error: Uncaught (in promise) Missing projectId
auto-animate: Maximum update depth exceeded on 8.0.0 →