remediate: replace eval cookie writes with safe JS helper + add tests (18.6 Track A)

Both SettingsCookieService and DarkModeCookieService now call window.DeepDrftSettings.setCookie (new Interop/settings/settings.ts) instead of eval. New tests cover SettingsServiceBase parse/format round-trip and the PreferenceAwareStreamingPlayerService invariant (Lossless skips probe; LowData inherits base).
This commit is contained in:
daniel-c-harvey
2026-06-23 14:17:34 -04:00
parent c63c7ca033
commit 77c6c42c94
6 changed files with 318 additions and 6 deletions
+1
View File
@@ -24,6 +24,7 @@
<script src="_framework/blazor.web.js"></script>
<script src=@Assets["_content/MudBlazor/MudBlazor.min.js"]></script>
<script type="module">
import('./js/settings/settings.js');
import('./js/audio/index.js');
import('./js/telemetry/beacon.js');
import('./js/telemetry/anonid.js');
@@ -0,0 +1,33 @@
/**
* Listener-settings interop (Phase 18 wave 18.6). A safe, eval-free cookie helper for persisting
* public-site preferences (streaming quality, and any future setting added under PublicSiteSettings).
* The 365-day durable-truth seam dark mode uses — same mechanism, no eval.
*
* Exposed on window.DeepDrftSettings; imported once in App.razor.
*/
const DeepDrftSettings = {
/**
* Write a cookie with the given name, value, and lifetime. Equivalent to the browser's
* document.cookie assignment but without building JS via string interpolation or eval.
* Path is always "/"; SameSite is always "Lax" — matches the dark-mode cookie semantics.
*/
setCookie: (name: string, value: string, days: number): void => {
const expires = new Date();
expires.setTime(expires.getTime() + days * 24 * 60 * 60 * 1000);
document.cookie =
`${encodeURIComponent(name)}=${encodeURIComponent(value)}` +
`; expires=${expires.toUTCString()}` +
`; path=/; SameSite=Lax`;
},
};
declare global {
interface Window {
DeepDrftSettings: typeof DeepDrftSettings;
}
}
window.DeepDrftSettings = DeepDrftSettings;
export { DeepDrftSettings };