fix!: use IIFE for dynamic JS evaluation (#33973)

Co-authored-by: Ankush Menat <ankush@frappe.io>
2025-11-22 11:18:50 +05:30 · 2025-11-22 11:18:50 +05:30 · 370efbd3e8
commit 370efbd3e8
parent 1e0415e6dd
5 changed files with 5 additions and 8 deletions
--- a/frappe/email/doctype/auto_email_report/auto_email_report.js
+++ b/frappe/email/doctype/auto_email_report/auto_email_report.js
@ -61,7 +61,7 @@ frappe.ui.form.on("Auto Email Report", {
 					report_name: frm.doc.report,
 				},
 				callback: function (r) {
-					frappe.dom.eval(r.message.script || "");
+					frappe.dom.eval(r.message.script);
 					frm.script_setup_for = frm.doc.report;
 					frm.trigger("show_filters");
 				},
--- a/frappe/public/js/frappe/dom.js
+++ b/frappe/public/js/frappe/dom.js
@ -27,10 +27,7 @@ frappe.dom = {
 	},
 	eval: function (txt) {
 		if (!txt) return;
-		var el = document.createElement("script");
-		el.appendChild(document.createTextNode(txt));
-		// execute the script globally
-		document.getElementsByTagName("head")[0].appendChild(el);
+		new Function(txt)();
 	},

 	remove_script_and_style: function (txt) {
--- a/frappe/public/js/frappe/views/pageview.js
+++ b/frappe/public/js/frappe/views/pageview.js
@ -86,7 +86,7 @@ frappe.views.Page = class Page {

 			// set content, script and style
 			if (this.pagedoc.content) this.wrapper.innerHTML = this.pagedoc.content;
-			frappe.dom.eval(this.pagedoc.__script || this.pagedoc.script || "");
+			frappe.dom.eval(this.pagedoc.__script || this.pagedoc.script);
 			frappe.dom.set_style(this.pagedoc.style || "");

 			// set breadcrumbs
--- a/frappe/public/js/frappe/views/reports/query_report.js
+++ b/frappe/public/js/frappe/views/reports/query_report.js
@ -430,7 +430,7 @@ frappe.views.QueryReport = class QueryReport extends frappe.views.BaseList {
 						report_name: this.report_name,
 					})
 					.then((settings) => {
-						frappe.dom.eval(settings.script || "");
+						frappe.dom.eval(settings.script);
 						frappe.after_ajax(() => {
 							this.report_settings = this.get_local_report_settings(
 								settings.custom_report_name
--- a/frappe/public/js/frappe/views/reports/report_utils.js
+++ b/frappe/public/js/frappe/views/reports/report_utils.js
@ -129,7 +129,7 @@ frappe.report_utils = {
 				report_name: report_name,
 			})
 			.then((r) => {
-				frappe.dom.eval(r.script || "");
+				frappe.dom.eval(r.script);
 				return frappe.after_ajax(() => {
 					if (
 						frappe.query_reports[report_name] &&