Merge branch 'master' into bootstrap4

CHANGES.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 3.3.4 (Unreleased)
+
+- Avoid `eval` (via `_.template` from lodash).
+
 ## 3.3.3 (2018-02-14)
 
 ### Bugfixes

src/converse-core.js

@@ -20,7 +20,7 @@
             "backbone.nativeview",
             "backbone.browserStorage"
     ], factory);
-}(this, function (sizzle, Promise, _, f, polyfill, i18n, utils, moment, Strophe, pluggable, Backbone) {
+}(this, function (sizzle, Promise, _, f, polyfill, i18n, u, moment, Strophe, pluggable, Backbone) {
 
     /* Cannot use this due to Safari bug.
      * See https://github.com/jcbrand/converse.js/issues/196
@@ -217,7 +217,7 @@
         /* Private function, used to add a new promise to the ones already
          * available via the `waitUntil` api method.
          */
-        _converse.promises[promise] = utils.getResolveablePromise();
+        _converse.promises[promise] = u.getResolveablePromise();
     }
 
     _converse.emit = function (name) {
@@ -235,7 +235,7 @@
     _converse.initialize = function (settings, callback) {
         "use strict";
         settings = !_.isUndefined(settings) ? settings : {};
-        const init_promise = utils.getResolveablePromise();
+        const init_promise = u.getResolveablePromise();
 
         _.each(PROMISES, addPromise);
 
@@ -617,7 +617,7 @@
 
         this.initStatus = () =>
             new Promise((resolve, reject) => {
-                const promise = new utils.getResolveablePromise();
+                const promise = new u.getResolveablePromise();
                 this.xmppstatus = new this.XMPPStatus();
                 const id = b64_sha1(`converse.xmppstatus-${_converse.bare_jid}`);
                 this.xmppstatus.id = id; // Appears to be necessary for backbone.browserStorage
@@ -1142,7 +1142,7 @@
             },
 
             isSelf (jid) {
-                return utils.isSameBareJID(jid, _converse.connection.jid);
+                return u.isSameBareJID(jid, _converse.connection.jid);
             },
 
             addAndSubscribe (jid, name, groups, message, attributes) {
@@ -1862,7 +1862,7 @@
             i18n.fetchTranslations(
                 _converse.locale,
                 _converse.locales,
-                _.template(_converse.locales_url)({'locale': _converse.locale}))
+                u.interpolate(_converse.locales_url, {'locale': _converse.locale}))
             .catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL))
             .then(finishInitialization)
             .catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL));
@@ -1921,9 +1921,9 @@
         },
         'settings': {
             'update' (settings) {
-                utils.merge(_converse.default_settings, settings);
-                utils.merge(_converse, settings);
-                utils.applyUserSettings(_converse, settings, _converse.user_settings);
+                u.merge(_converse.default_settings, settings);
+                u.merge(_converse, settings);
+                u.applyUserSettings(_converse, settings, _converse.user_settings);
             },
             'get' (key) {
                 if (_.includes(_.keys(_converse.default_settings), key)) {
@@ -2045,7 +2045,7 @@
             'b64_sha1':  b64_sha1,
             'moment': moment,
             'sizzle': sizzle,
-            'utils': utils
+            'utils': u
         }
     };
     window.dispatchEvent(new Event('converse-loaded'));

src/utils.js

@@ -646,6 +646,14 @@
         return promise;
     };
 
+    u.interpolate = function (string, o) {
+        return string.replace(/{{{([^{}]*)}}}/g,
+            (a, b) => {
+                var r = o[b];
+                return typeof r === 'string' || typeof r === 'number' ? r : a;
+            });
+    };
+
     u.safeSave = function (model, attributes) {
         if (u.isPersistableModel(model)) {
             model.save(attributes);