From 7c9a0f820adfdb347e81ff76bddf349962b8b37f Mon Sep 17 00:00:00 2001
From: Avinash Kumar Deepak <avinash8655279@gmail.com>
Date: Fri, 20 Feb 2026 20:58:49 +0530
Subject: [PATCH] fix: replace eval() with new Function() in
 setEdgeNodeValidator to prevent XSS

---
 src/graph-builder/graph-core/3-component.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/graph-builder/graph-core/3-component.js b/src/graph-builder/graph-core/3-component.js
index 56bf0db..576875b 100644
--- a/src/graph-builder/graph-core/3-component.js
+++ b/src/graph-builder/graph-core/3-component.js
@@ -234,10 +234,10 @@ class GraphComponent extends GraphCanvas {
     }
 
     setEdgeNodeValidator({ nodeValidator, edgeValidator }) {
-        // eslint-disable-next-line no-eval
-        this.nodeValidator = eval(nodeValidator);
-        // eslint-disable-next-line no-eval
-        this.edgeValidator = eval(edgeValidator);
+        // eslint-disable-next-line no-new-func
+        this.nodeValidator = new Function(`return ${nodeValidator}`)();
+        // eslint-disable-next-line no-new-func
+        this.edgeValidator = new Function(`return ${edgeValidator}`)();
     }
 
     getNodesEdges() {