https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39262 Bug ID: 39262 Summary: shotCartUpdate indirectly uses eval() Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org In ./koha-tmpl/opac-tmpl/bootstrap/js/basket.js there is a function "showCartUpdate" which calls the following line: setTimeout("hideCart()", 2000); When you pass a string as the first argument to setTimeout, it performs an eval(). While I don't think there's any security risk in this, it's suboptimal, and it will cause problems when we try to use Content-Security-Policy later. We should just update this to the following: setTimeout(hideCart, 2000); -- There's probably other examples of this, but this is the one that jumped out to me while working on CSP. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.