Domovská stránka Prehľadávať Pomoc
Registrovať Prihlásiť sa
vuejs
/
vue
zrkadlo https://github.com/vuejs/vue.git
2
0
Fork 0
Súbory Issues 0 Wiki
Prechádzať zdrojové kódy

better xss mitigation

Evan You 12 rokov pred
rodič
a891df220f
commit
0bee5a08e5
2 zmenil súbory, kde vykonal 33 pridanie a 17 odobranie
Rozdelené zobrazenie Ukázať štatistiku rozdielnych dát
  1. 6 4
      src/exp-parser.js
  2. 27 13
      test/unit/specs/exp-parser.js

+ 6 - 4
src/exp-parser.js
Zobraziť súbor 

@@ -1,7 +1,8 @@
 
-var utils = require('./utils'),
 
-    stringSaveRE = /"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'/g,
 
+var utils           = require('./utils'),
 
+    stringSaveRE    = /"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'/g,
 
     stringRestoreRE = /"(\d+)"/g,
 
-    constructorRE = /(^|\.)constructor\(/
 
+    constructorRE   = new RegExp('constructor'.split('').join('[\'"+, ]*')),
 
+    unicodeRE       = /\\u\d\d\d\d/
 
 
 // Variable extraction scooped from https://github.com/RubyLouvre/avalon
 
 
@@ -110,7 +111,8 @@ module.exports = {
 
      *  created as bindings.
 
      */
 
     parse: function (exp, compiler) {
 
-        if (constructorRE.test(exp)) {
 
+        // unicode and 'constructor' are not allowed for XSS security.
 
+        if (unicodeRE.test(exp) || constructorRE.test(exp)) {
 
             utils.warn('Unsafe expression: ' + exp)
 
             return function () {}
 
         }

+ 27 - 13
test/unit/specs/exp-parser.js
Zobraziť súbor 

@@ -112,20 +112,34 @@ describe('UNIT: Expression Parser', function () {
 
 
     })
 
 
-    describe('Basic XSS protection', function () {
 
+    describe('XSS protection', function () {
 
         
-        var cases = [{
 
-            xss: true,
 
-            exp: "constructor.constructor('alert(1)')()",
 
-            vm: {},
 
-            expectedValue: undefined
 
-        },
 
-        {
 
-            xss: true,
 
-            exp: "\"\".toString.constructor.constructor('alert(1)')()",
 
-            vm: {},
 
-            expectedValue: undefined
 
-        }]
 
+        var cases = [
 
+            {
 
+                xss: true,
 
+                exp: "constructor.constructor('alert(1)')()",
 
+                vm: {},
 
+                expectedValue: undefined
 
+            },
 
+            {
 
+                xss: true,
 
+                exp: "\"\".toString.constructor.constructor('alert(1)')()",
 
+                vm: {},
 
+                expectedValue: undefined
 
+            },
 
+            {
 
+                xss: true,
 
+                exp: "\"\".toString['cons' + 'tructor']['cons' + 'tructor']('alert(1)')()",
 
+                vm: {},
 
+                expectedValue: undefined
 
+            },
 
+            {
 
+                xss: true,
 
+                exp: "\"\".toString['\\u0063ons' + 'tructor']['\\u0063ons' + 'tructor']('alert(1)')()",
 
+                vm: {},
 
+                expectedValue: undefined
 
+            }
 
+        ]
 
 
         cases.forEach(describeCase)