From 8eeb98ceac5bcd23db3e30d5409ec941349b4967 Mon Sep 17 00:00:00 2001
From: "Nicholas (Nick) Whelan" <ndwhelan@gmail.com>
Date: Wed, 30 Oct 2013 13:54:07 -0500
Subject: [PATCH] Removing XSS vulnerability in queryStringToJSON()

Removing a very dangerous eval(), that operates on all params, one or more of which could be arbitrary javascript. There may still be some issues with the advanced part.
---
 scripts/resources/core.string.js | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/scripts/resources/core.string.js b/scripts/resources/core.string.js
index c25dfe6..0c0035e 100755
--- a/scripts/resources/core.string.js
+++ b/scripts/resources/core.string.js
@@ -198,13 +198,7 @@ String.prototype.queryStringToJSON = String.prototype.queryStringToJSON || funct
 		// Fix
 		key = decodeURIComponent(key);
 		value = decodeURIComponent(value);
-		try {
-		    // value can be converted
-		    value = eval(value);
-		} catch ( e ) {
-		    // value is a normal string
-		}
-
+		
 		// Set
 		// window.console.log({'key':key,'value':value}, split);
 		var keys = key.split('.');