Chart options object is not available in the customCode context in current node-export-server (master)

[level420]

In the phantomjs based node server the chart options object was available in the customCode context. This way it was possible to modify the chart options within the custom code. The following simplified example modifies the charts title text within customCode:

curl \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{"infile":{"title": {"text": "Steep Chart"}, "xAxis": {"categories": ["Jan", "Feb"]}, "series": [{"data": [29.9, 71.5]}]}, "customCode": "options.title.text =\"modified\"" }' \
  localhost:7801 \
  -o mychart.png

Expected behaviour

Within customCode it should be possible to access the chart options. The example above should render a png chart with the title text "modified".

Actual behaviour

The current node-export-server version (master) shows the following error message and an empty image is rendered.

Wed Jul 31 2024 07:08:10 GMT+0000 [error] - [pool] In pool.postWork: For request with ID 1b96262d4d99409ea2f7f899e58ec0d9 - Error encountered during export: 10.943841ms. 
 ReferenceError: options is not defined

Reproduction steps

Use the curl command line above to render a simple chart which produces the error.

Use case

The use case for this is to be able to embed javascript functions, like formatters e.g. for axis labels, into the json object the following way (a fragment):

{
  "@function@formatter" : "function() {  return this.stack }"
}

and within the customCode then using the following javascript (fragment only) code by walking the chart object tree in order to create a real function by eval-ing the attributes value which starts with @function@ and create a new object property named like what followed @function@ here formatter and assign the function to it:

if(attrName.substr(0,10) == "@function@") {
  let realAttrName = attrName.substr(10);
  eval("let f = " + object[attrName] + ";");
  if(typeof(f) == "function") {
    object[realAttrName ] = f;
  }
  delete object[attrName];
}

I know this would allow executing arbitrary possibly dangerous code within customCode, but this was at the time being the only method I've found which allowed to declare functions e.g. for formatters in chart options when sending the chart data in json format to the node-export-server.

[level420]

@jszuminski any workarround on getting the chart options in customCode using the current master branch?

[level420]

@jszuminski even a patch would be helpful, as I could simply integrate that into our docker image create task.

[level420]

@jszuminski See proposed PR #551

[jszuminski]

Thanks @level420! We will test it out and give a review. If no issues are detected, we can merge it.

[PaulDalek]

Hi @level420, thank you for reporting this and for the PR. No worries about running arbitrary code, as the public server doesn't allow that anyway. As for setting up your own server, it is a choice, so the responsibility falls on the user.

The only problem I see here is when the custom code is wrapped with function() {} or () => {} and with our current logic in the wrapAround function, the options object might be shadowed by a variable of the same name. You would have to, for example, invoke the function like this: ((options) => { ... })(options) in such cases, but it seems like no big deal. I think we can enhance the current logic, but for now, your fix is the best way to provide access to the userOptions.