So, yeah, JavaScript eval(). As Microsoft has blocked more and more file types in email, JavaScript HTML Smuggling is getting popular again. Obfuscated JavaScript in emails is difficult for Anti-Malware software to catch. eval() is an old capability that was useful to developers but has become even more useful to threat actors.
eval() can be blocked with security headers, so I wouldn’t hang my hat on the technique. From:
Don’t mean to p*ss on the St. Pat’s Parade. 
Yes, that’s right. Then thing is, is it empty, or malformed?
When I open the Client it pops up so I would assume it’s formed correctly
I have it working now. It opens automatically in Edge but only downloads in Chrome. Is there a way to get it to open in chrome too?
Btw @klincecum was right. I inverted the i and s in SysRptList so it was obviously blank. Time for a new set of glasses i guess.
What to Know
There is no Advanced Settings there, so they are wrong, but the rest is right.
That worked. Thank you
Separately, for those who use Edge, Microsoft will be replacing Chrome’s built-in PDF viewer with Adobe’s by 31 March 2023.
Because Adobe has such a great track record of being super secure 
It’s super speedy too!
Thanks for All the help. I have it working and have modified the code slightly so that It will open any output option other than EMF. I just added an event next between the ERP BAQ and ran three conditions. one for each PDF, Excel, and Word (XML opens natively in the browser) I set TransView.Format to what ever the application/ is and use the code below in the condition. This way we can roll Kinetic out through browser rather than Client. Kind of keep the 2 worlds separated as we bring groups of users onto kinetic. I know it’s a temporary fix but hope it helps someone else.
eval ("var byteString = window.atob('{SysRptList.SysRptLst_RptData}');let int8Array = new Uint8Array(new ArrayBuffer(byteString.length));for (let i = 0; i < byteString.length; i++) { int8Array[i] = byteString.charCodeAt(i);}let documentBlob = new Blob([int8Array], { type: '{TransView.Format}' });let fileURL = URL.createObjectURL(documentBlob);console.log('{TransView.Format}'); window.open(fileURL,'_blank');")
I used the above tutorial from @hmwillett but it pulled up the report before the one I just ran and then opening the client I am bombarded with reports popping up. Although this will likely not matter in live just in case we are prepared. I modified it that it will open any output format PDF all the excels, csv, and word with the appropriate program then added a loop to wait for the new report to finish. and update sysrptlst so that the previews won’t pop up when entering the classic app.
If anyone wants instructions I am throwing them together so I don’t miss anything when doing this repetitively across all reports. Yes I am making even reports triggered from the overflow menu work like Sales order acknowledgment and invoices and edit lists.
A little confused on the magic sauce…
So your BAQ is querying the SysRpt thingy, and then you take the results of the BAQ and using JavaScript write a file to the client side ?
Say I have a function that does “some stuff” and one of it’s outputs is a “stream of bytes”,
could I use the expression-JavaScript to write the “stream of bytes” to a file locally ?
Thanks
Kind of you can’t write to the file from the browser if you could @Mark_Wonsil would blow a gasket. (and we don’t want to lose him, them dad jokes are 
)
However you can take that stream of bytes and generate a “BLOB” and then you can tell the Browser to “Download” this blob at which point the browser would prompt you to download / save / open the file with Outlook (or whatever)
That’s what this line does
eval ("var byteString = window.atob('{SysRptList.SysRptLst_RptData}');let int8Array = new Uint8Array(new ArrayBuffer(byteString.length));for (let i = 0; i < byteString.length; i++) { int8Array[i] = byteString.charCodeAt(i);}let documentBlob = new Blob([int8Array], { type: '{TransView.Format}' });let fileURL = URL.createObjectURL(documentBlob);console.log('{TransView.Format}'); window.open(fileURL,'_blank');")
ah, ok, yeah that part was too magic for me (to believe that it could write the file locally), I get now what the script is doing, very nice…I’ll give it a try
Also note, we’re just one security header away from that not working. So, have a plan B if you’re in Epicor SaaS.
Hmmm, with the @Mark_Wonsil security concerns…is there anyway I can tell the browser to do the download from within my function ? (I doubt it, my function is in .Net land, and the browser is in JS land).
I’m no security guy Mark, but are you saying this is a concern if I am worried about the privacy of my download content, or is it that this ability will soon go away because of security standards, and/or using this approach opens oneself up to bigger privacy/hacking concerns ?
^ that is the issue Epicor … CC:@bconner is taking away our toys (with good reason) but hopefully there will be some sort of alternative to achieve similar.
This is one of those reasons I was referring to @Olga .
Of course, I’m hoping that will become built in, and I won’t have
to cobble something together.
Like Jose said, this is the main concern. Let’s say Epicor gets an AppSec auditor in, and one of the (likely) recommendations is to have a Content Security Policy. This is quick and easy to implement and would immediately render this solution D.O.A.
This might be one of the XY Problems that @timshuwy mentions. Instead of going back to the business purpose (notification in this case), our problem becomes “How can I implement the old solution in the new context?” instead of looking at the need with fresh eyes.
