fix: load benchmark data with json parse instead of eval#3
Open
mooncitydev wants to merge 1 commit intoAztecProtocol:gh-pagesfrom
Open
fix: load benchmark data with json parse instead of eval#3mooncitydev wants to merge 1 commit intoAztecProtocol:gh-pagesfrom
mooncitydev wants to merge 1 commit intoAztecProtocol:gh-pagesfrom
Conversation
Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
hey team, bumped into the benchmark viewer while poking at the repo and tightened up how data.js gets loaded.
Previously the page used eval() on the fetched script and on the big inline main-script block. The remote data.js is really just window.BENCHMARK_DATA assignment with JSON from github-action-benchmark, so eval was running whatever bytes came back from the raw URL. That is brittle for supply chain tampering and harder to reason about than parsing.
Now it walks the assignment, tracks JSON string state, and JSON.parse the object. The deferred app code runs by injecting a real script node instead of eval.
Also the error path stuffed the branch name from the query string into innerHTML, which was a DOM XSS footgun if someone opened a crafted link. Replaced that with textContent and created elements.
Not sure how you want to roll this out to the per-branch copies of index under bench subfolders, this PR only touches bench/index.html at the root viewer.
cheers