remediate: replace eval cookie writes with safe JS helper + add tests (18.6 Track A)

Both SettingsCookieService and DarkModeCookieService now call window.DeepDrftSettings.setCookie (new Interop/settings/settings.ts) instead of eval. New tests cover SettingsServiceBase parse/format round-trip and the PreferenceAwareStreamingPlayerService invariant (Lossless skips probe; LowData inherits base).
This commit is contained in:
daniel-c-harvey
2026-06-23 14:17:34 -04:00
parent c63c7ca033
commit 77c6c42c94
6 changed files with 318 additions and 6 deletions
@@ -14,9 +14,7 @@ public class DarkModeCookieService(DarkModeSettings darkModeSetting, IJSRuntime
public async ValueTask SetDarkModeAsync(bool isDarkMode)
{
var expires = DateTime.UtcNow.AddDays(EXPIRY_DAYS).ToString("R");
await js.InvokeVoidAsync("eval",
$"document.cookie = '{COOKIE_NAME}={isDarkMode.ToString().ToLower()}; expires={expires}; path=/; SameSite=Lax'");
await js.InvokeVoidAsync("DeepDrftSettings.setCookie", COOKIE_NAME, isDarkMode.ToString().ToLower(), EXPIRY_DAYS);
darkModeSetting.IsDarkMode = isDarkMode;
}
}
@@ -27,8 +27,6 @@ public class SettingsCookieService(PublicSiteSettings settings, IJSRuntime js) :
private async ValueTask WriteCookieAsync(string name, string value)
{
var expires = DateTime.UtcNow.AddDays(ExpiryDays).ToString("R");
await js.InvokeVoidAsync("eval",
$"document.cookie = '{name}={value}; expires={expires}; path=/; SameSite=Lax'");
await js.InvokeVoidAsync("DeepDrftSettings.setCookie", name, value, ExpiryDays);
}
}