Final Class: CspExpressionEvaluator

Oracle® JavaScript Extension Toolkit (JET)
17.1.0
G12196-01

Since:
  • 7.1.0
Module:
  • ojcspexpressionevaluator

Description

A class for creating CSP-compliant evaluators of JavaScript expressions

The default JET expression evaluator cannot be used when Content Security Policy prohibits unsafe evaluations. In order to replace the default evaluator with the JET CSP-compliant evaluator, create and pass an instance of CspExpressionEvaluator class to the Config.setExpressionEvaluator() method. This method must be called before applying knockout bindings in the application for the first time.

Any extra context required for evaluating expressions can be passed to the object constructor using globalScope property.


Config.setExpressionEvaluator(new CspExpressionEvaluator());

Expressions supported by the JET CspExpressionEvaluator

  • Identifiers, e.g. [[value]].
  • Members, e.g. [[router.stateId]].
  • Literals, e.g. [['abc']].
  • Function callbacks, e.g. [[getColor('customer', id)]].
  • Unary operators are limited to '-', '+', '~', '!' and '...', e.g. [[-100]].
  • Instanceof or typeof operators such as 'date instanceof Date'
  • Binary operators, e.g. [[value + '.png']].
  • Exponentiation (**) such as '3 ** 4'
  • Logical operators, e.g. [[a && b]] or [[a || b]].
  • Nullish coalescing operator (??) such as 'value ?? "default value"'
  • Conditional or ternary operators, e.g. [[test ? consequent : alternate]].
  • Optional chaining operators, e.g. [[a?.b]].
  • Array literals, e.g. [a, b, c].
  • Object literals, e.g. [[{'selection_state': selected}]].
  • 'new' operator such as 'new Object()'
  • Regular expressions in the form of explicit RegExp objects such as [[testString.match(new RegExp('abc', 'i'))]]
  • Template literals except tagged templates, e.g. [[`Hello, ${user}!`]]
  • Functions are limited to a single statement, e.g. function(){return 'abc'} or function(x, y){return x + y}.
  • Arrow functions are limited to a single statement, e.g. () => 'abc', () => {return 'abc'}, (x, y) => {return x + y} or [1, 2, 3].map(item => item + 1)

Expression limitations:

The following code is not supported in expressions:

  • Assignment operators of any types such as '=' or '+=' or '|='
  • Blocks of code such as 'if (...){}'
  • Comma operator (,) such as '(expr1, expr2)'
  • in operator such as 'prop in testObject'
  • Increment/decrement operators such as 'x++' or 'x--'
  • Inline regular expressions such as 'testString.match(/abc/i)'
  • Spread operator (...) such as 'sum(...arrayValue)'
  • Tagged templates such as 'myTag`Hello, ${user}!`'
  • await/async keywords such as 'await myAsyncTask()'


Usage

Typescript Import Format
//This class is exported directly as module. To import it
import CspExpressionEvaluator= require("ojs/ojcspexpressionevaluator");

For additional information visit:


Final classes in JET

Classes in JET are generally final and do not support subclassing. At the moment, final is not enforced. However, this will likely change in an upcoming JET release.


Constructor

new CspExpressionEvaluator(options)

Parameters:
Name Type Description
options Object
Properties
Name Type Argument Description
globalScope any <optional>
 optional additional scope required for evaluating expressions. The additional scope will be used to resolve the variables if they are not defined in the $data or $context. 
Config.setExpressionEvaluator(new CspExpressionEvaluator({globalScope:extraScope}));