Watch expressions are easily hijackable

[Loirooriol]

1. Load http://example.com/
2. Open the web console
3. Enter eval = () => 0
4. Open the debugger
5. Add a new watch expression: 1

Result: 0
Expected: 1

[bomsy]

Oohhh ...Thanks for the report!

[jasonLaster]

Nice find @Loirooriol, this is a bug with the debugger server. You can see the same issue w/ the old debugger as well.

[Loirooriol]

Oh, I thought the culprit was #4107 because it wraps the expression in an eval.

[jasonLaster]

yep, good point... we do the same thing w/ the old debugger client as well.

[jasonLaster]

so... this fixes it:

I think the eval is not needed. and actually quite scary

diff --git a/src/utils/expressions.js b/src/utils/expressions.js
index ec27dac..05e40e1 100644
--- a/src/utils/expressions.js
+++ b/src/utils/expressions.js
@@ -14,13 +14,13 @@ export function sanitizeInput(input: string) {
  * NOTE: we add line after the expression to protect against comments.
 */
 export function wrapExpression(input: string) {
-  return `eval(\`
+  return `
     try {
       ${sanitizeInput(input)}
     } catch (e) {
       e
     }
-  \`)`.trim();
+  `.trim();
 }