From c982df1a7a8fbfc61e78665fc4c9069fb60a606a Mon Sep 17 00:00:00 2001
From: TheGoddessInari <thegoddessinari@gmail.com>
Date: Tue, 28 Aug 2018 02:45:08 -0700
Subject: [PATCH] Disable eval from webviews.

It can be trivially exploited online, so no service page should be
using this. I'll gladly help people report bugs upstream if It
comes down to that, but electron strongly recommends this.
---
 resources/js/rambox-service-api.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/resources/js/rambox-service-api.js b/resources/js/rambox-service-api.js
index a1a3c58a..88084c91 100644
--- a/resources/js/rambox-service-api.js
+++ b/resources/js/rambox-service-api.js
@@ -63,3 +63,11 @@ Notification = function(title, options) {
 Notification.prototype = NativeNotification.prototype;
 Notification.permission = NativeNotification.permission;
 Notification.requestPermission = NativeNotification.requestPermission.bind(Notification);
+
+/**
+ * Disable eval for security reasons.
+ */
+  // eslint-disable-next-line no-eval
+  window.eval = global.eval = function () {
+    throw new Error(`Sorry, this app does not support window.eval().`);
+  };