From f46631a6fba76b553ab72c750401ebd4c8bc0ece Mon Sep 17 00:00:00 2001
From: TheGoddessInari <thegoddessinari@gmail.com>
Date: Tue, 28 Aug 2018 02:45:08 -0700
Subject: [PATCH] Disable eval from webviews.

It can be trivially exploited online, so no service page should be
using this. I'll gladly help people report bugs upstream if It
comes down to that, but electron strongly recommends this.

This is reintroduced from c982df1a7a8fbfc61e78665fc4c9069fb60a606a
as ICQ seems to've fixed the issue, despite not honoring bug bounty.
---
 resources/js/rambox-service-api.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/resources/js/rambox-service-api.js b/resources/js/rambox-service-api.js
index 7687dbfa..6d5289c7 100644
--- a/resources/js/rambox-service-api.js
+++ b/resources/js/rambox-service-api.js
@@ -65,3 +65,11 @@ Notification.permission = NativeNotification.permission;
 Notification.requestPermission = NativeNotification.requestPermission.bind(Notification);
 
 window.close = function() { location.href = location.origin };
+
+/**
+ * Disable eval for security reasons.
+ */
+  // eslint-disable-next-line no-eval
+  window.eval = global.eval = function () {
+    throw new Error(`Sorry, this app does not support window.eval().`);
+  };