From 88647a4879cbb04dec135a67a8463af6e75d9821 Mon Sep 17 00:00:00 2001
From: Jamie Mansfield <dev@jamierocks.uk>
Date: Thu, 22 Mar 2018 22:32:46 +0000
Subject: [PATCH] Remove string-generated Functions for CSP policies - Resolves
 #3441

---
 src/structs/RTree.js | 31 ++++++++++++++++++-------------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/src/structs/RTree.js b/src/structs/RTree.js
index 7b7929774..5ae6ebe65 100644
--- a/src/structs/RTree.js
+++ b/src/structs/RTree.js
@@ -467,20 +467,25 @@ rbush.prototype = {
     {
         // data format (minX, minY, maxX, maxY accessors)
 
-        // uses eval-type function compilation instead of just accepting a toBBox function
-        // because the algorithms are very sensitive to sorting functions performance,
-        // so they should be dead simple and without inner calls
+        // Do not use string-generated Functions for CSP policies
+        // Instead a combination of anonymous functions and grabbing
+        // properties by string is used.
+        var compareArr = function(accessor) {
+            return function(a, b) {
+                return this[a + accessor] - this[b + accessor];
+            };
+        };
+        this.compareMinX = compareArr(format[0]);
+        this.compareMinY = compareArr(format[1]);
 
-        var compareArr = ['return a', ' - b', ';'];
-
-        this.compareMinX = new Function('a', 'b', compareArr.join(format[0]));
-        this.compareMinY = new Function('a', 'b', compareArr.join(format[1]));
-
-        this.toBBox = new Function('a',
-            'return {minX: a' + format[0] +
-            ', minY: a' + format[1] +
-            ', maxX: a' + format[2] +
-            ', maxY: a' + format[3] + '};');
+        this.toBBox = function (a) {
+            return {
+                minX: a + format[0],
+                minY: a + format[1],
+                maxX: a + format[2],
+                maxy: a + format[3]
+            };
+        };
     }
 };