From 8656952d0fbf5c9bc39489d8475f3fefe0d22ad3 Mon Sep 17 00:00:00 2001
From: Zeroday BYTE <github@zerodaysec.org>
Date: Tue, 29 Jul 2025 21:59:35 +0700
Subject: [PATCH] Update util.js

Signed-off-by: Zeroday BYTE <github@zerodaysec.org>
---
 copyparty/web/util.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/copyparty/web/util.js b/copyparty/web/util.js
index b246e145..788b6974 100644
--- a/copyparty/web/util.js
+++ b/copyparty/web/util.js
@@ -2001,9 +2001,9 @@ function load_md_plug(md_text, plug_type, defer) {
 
     var old_plug = md_plug[plug_type];
     if (!old_plug || old_plug[1] != js) {
-        js = 'const loc = new URL("' + location.href + '"), x = { ' + js + ' }; x;';
+        // Use Function constructor to avoid code injection via location.href
         try {
-            var x = eval(js);
+            var x = (new Function('loc', 'return { ' + js + ' };'))(new URL(location.href));
             if (x['ctor']) {
                 x['ctor']();
                 delete x['ctor'];