Code:

Description:
echo 'window.top.window.jQuery("#'.$_POST['temporary-iframe-id'].'").data("deferrer").resolve('.$result.');';

when $_POST['temporary-iframe-id'] value is 'cc");alert(3);windows.top.window.jQuery("#cc', then will be cause XSS.

Advice:
check precise for $_POST['temporary-iframe-id']

Hello,

I am currently working on a project that implements a strict Content Security Policy (CSP) to enhance security. As part of this policy, we aim to avoid the use of unsafe-eval due to its security implications. I am using ace-extra.js and would like to verify its compatibility with our CSP.

Issue:
Could you please investigate and confirm whether ace-extra.js relies on any practices that require the use of unsafe-eval? Specifically, I am looking for information on the following:

Use of eval()
Use of new Function()
Any other dynamic code execution methods

Additional Information:
If ace-extra.js does require unsafe-eval, are there any recommended workarounds or alternative solutions that would allow us to continue using this script while maintaining a strict CSP?

Thank you for your assistance!

Expected Behavior:
No CSP violations should occur, indicating that ace-extra.js is fully compatible with a strict CSP without unsafe-eval.

Actual Behavior:
(Please describe any CSP violations encountered if applicable.)