From ff562282d3431326bbd2f17e8b5d6f5538425b21 Mon Sep 17 00:00:00 2001
From: Dumitru Uzun <duzuns@gmail.com>
Date: Wed, 29 Jan 2020 18:03:50 +0200
Subject: [PATCH] Replace eval() with new Function()

Replace
```js
eval(attrValue)
```
with
```js
(new Function('return ('+attrValue+')'))()
```

### Why?

`eval()` is evaluated in the scope where it is called, which exposes all the (private) variables to the string script being evaluated.
Besides security considerations, it disables mangling of all variables names in the scope (and all parent scopes) during code minification, because every variable could be potentially used in the `eval()`.

The `(new Function(str))()` approach is much safer, cause it does not have access to the current scope.
---
 src/jquery-ui-timepicker-addon.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/jquery-ui-timepicker-addon.js b/src/jquery-ui-timepicker-addon.js
index 9bbb21f..8defae5 100644
--- a/src/jquery-ui-timepicker-addon.js
+++ b/src/jquery-ui-timepicker-addon.js
@@ -183,7 +183,7 @@
 					var attrValue = $input.attr('time:' + attrName);
 					if (attrValue) {
 						try {
-							inlineSettings[attrName] = eval(attrValue);
+							inlineSettings[attrName] = (new Function('return ('+attrValue+')'))();
 						} catch (err) {
 							inlineSettings[attrName] = attrValue;
 						}