Fixed: security issue due to the usage of eval().

MoOx · MoOx · commit aebe8f7adce9 · 2016-08-22T08:00:32.000+02:00
This is to avoid an arbitrary code execution. Now operations are resolved using [``math-expression-evaluator``](https://github.com/redhivesoftware/math- expression-evaluator)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,8 @@
+- Fixed: security issue due to the usage of ``eval()``.
+  This is to avoid an arbitrary code execution.
+  Now operations are resolved using
+  [``math-expression-evaluator``](https://github.com/redhivesoftware/math-expression-evaluator)
+
 # 1.2.4 - 2016-06-09
 
 - Fixed: zero values are not unitless anymore.
diff --git a/index.js b/index.js
@@ -3,6 +3,7 @@
  */
 var balanced = require("balanced-match")
 var reduceFunctionCall = require("reduce-function-call")
+var mexp = require("math-expression-evaluator")
 
 /**
  * Constantes
@@ -31,6 +32,10 @@ function reduceCSSCalc(value, decimalPrecision) {
   stack = 0
   decimalPrecision = Math.pow(10, decimalPrecision === undefined ? 5 : decimalPrecision)
 
+  // CSS allow to omit 0 for 0.* values,
+  // but math-expression-evaluator does not
+  value = value.replace(/\s(\.[0-9])/g, " 0$1")
+
   /**
    * Evaluates an expression
    *
@@ -72,7 +77,7 @@ function reduceCSSCalc(value, decimalPrecision) {
     var result
 
     try {
-      result = eval(toEvaluate)
+      result = mexp.eval(toEvaluate)
     }
     catch (e) {
       return functionIdentifier + "(" + expression + ")"
diff --git a/package.json b/package.json
@@ -1,4 +1,3 @@
-
 {
   "name": "reduce-css-calc",
   "version": "1.2.4",
@@ -16,6 +15,7 @@
   ],
   "dependencies": {
     "balanced-match": "^0.1.0",
+    "math-expression-evaluator": "^1.2.9",
     "reduce-function-call": "^1.0.1"
   },
   "devDependencies": {
