SystemSh0cker/monaco-editor
1
0
Fork 0
mirror of https://github.com/microsoft/monaco-editor.git synced 2025-12-22 12:45:39 +01:00
Code Issues Projects Releases Packages Activity

Adresses https://github.com/microsoft/vscode-internalbacklog/issues/4449

Browse source
This commit is contained in:
Henning Dieterichs 2023-07-06 23:20:35 +02:00
parent 34f6c10073
commit f70fabb863
No known key found for this signature in database
GPG key ID: 771381EFFDB9EC06
6 changed files with 12 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
website/src/monaco-loader.ts
View file

@ -84,7 +84,7 @@ function loadScript(path: string): Promise<void> {
script.onload = () => res();
script.async = true;
script.type = "text/javascript";
script.src = path;
script.src = path; // CodeQL [SM01507] This is safe because the runner (that allows for dynamic paths) runs in an isolated iframe. The hosting website uses a static path configuration. // CodeQL [SM03712] This is safe because the runner (that allows for dynamic paths) runs in an isolated iframe. The hosting website uses a static path configuration.
document.head.appendChild(script);
});
}

4
website/src/runner/index.ts
View file

@ -21,7 +21,7 @@ window.addEventListener("message", (event) => {
const style = document.getElementById(
"custom-style"
) as HTMLStyleElement;
style.innerHTML = e.css;
style.innerHTML = e.css; // CodeQL [SM03712] This is safe because the runner runs in an isolated iframe.
}
});
@ -54,7 +54,7 @@ async function initialize(state: IPreviewState) {
const js = massageJs(state.js);
try {
eval(js);
eval(js); // CodeQL [SM01632] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground. // CodeQL [SM02688] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground.
} catch (err) {
const pre = document.createElement("pre");
pre.appendChild(

2
website/static/monarch/monarch.js
View file

@ -58,7 +58,7 @@ function createLangModel(languageId, text) {
var update = function () {
var def = null;
try {
def = eval("(function(){ " + langModel.getValue() + "; })()");
def = eval("(function(){ " + langModel.getValue() + "; })()"); // CodeQL [SM01632] langModel.getValue() is a default value with volatile user modifications. This is an essential functionality for the monarch playground and safe, as no injection is possible.
} catch (err) {
setInnerText(outputPane, err + "\n");
return;