Accueil Explorer Aide
S'inscrire Connexion
vuejs
/
vue
miroir de https://github.com/vuejs/vue.git
2
0
Fork 0
Fichiers Tickets 0 Wiki
Parcourir la source

better xss mitigation

Evan You il y a 12 ans
Parent
a891df220f
commit
0bee5a08e5
2 fichiers modifiés avec 33 ajouts et 17 suppressions
Vue unifiée Afficher les stats Diff
  1. 6 4
      src/exp-parser.js
  2. 27 13
      test/unit/specs/exp-parser.js

+ 6 - 4
src/exp-parser.js
Voir le fichier 

@@ -1,7 +1,8 @@
 
-var utils = require('./utils'),
 
-    stringSaveRE = /"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'/g,
 
+var utils           = require('./utils'),
 
+    stringSaveRE    = /"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'/g,
 
     stringRestoreRE = /"(\d+)"/g,
 
     stringRestoreRE = /"(\d+)"/g,
 
-    constructorRE = /(^|\.)constructor\(/
 
+    constructorRE   = new RegExp('constructor'.split('').join('[\'"+, ]*')),
 
+    unicodeRE       = /\\u\d\d\d\d/
 
 
 
 // Variable extraction scooped from https://github.com/RubyLouvre/avalon
 
 // Variable extraction scooped from https://github.com/RubyLouvre/avalon
 
 
 
@@ -110,7 +111,8 @@ module.exports = {
 
      *  created as bindings.
 
      *  created as bindings.
 
      */
 
      */
 
     parse: function (exp, compiler) {
 
     parse: function (exp, compiler) {
 
-        if (constructorRE.test(exp)) {
 
+        // unicode and 'constructor' are not allowed for XSS security.
 
+        if (unicodeRE.test(exp) || constructorRE.test(exp)) {
 
             utils.warn('Unsafe expression: ' + exp)
 
             utils.warn('Unsafe expression: ' + exp)
 
             return function () {}
 
             return function () {}
 
         }
 
         }

+ 27 - 13
test/unit/specs/exp-parser.js
Voir le fichier 

@@ -112,20 +112,34 @@ describe('UNIT: Expression Parser', function () {
 
 
 
     })
 
     })
 
 
 
-    describe('Basic XSS protection', function () {
 
+    describe('XSS protection', function () {
 
         
         
-        var cases = [{
 
-            xss: true,
 
-            exp: "constructor.constructor('alert(1)')()",
 
-            vm: {},
 
-            expectedValue: undefined
 
-        },
 
-        {
 
-            xss: true,
 
-            exp: "\"\".toString.constructor.constructor('alert(1)')()",
 
-            vm: {},
 
-            expectedValue: undefined
 
-        }]
 
+        var cases = [
 
+            {
 
+                xss: true,
 
+                exp: "constructor.constructor('alert(1)')()",
 
+                vm: {},
 
+                expectedValue: undefined
 
+            },
 
+            {
 
+                xss: true,
 
+                exp: "\"\".toString.constructor.constructor('alert(1)')()",
 
+                vm: {},
 
+                expectedValue: undefined
 
+            },
 
+            {
 
+                xss: true,
 
+                exp: "\"\".toString['cons' + 'tructor']['cons' + 'tructor']('alert(1)')()",
 
+                vm: {},
 
+                expectedValue: undefined
 
+            },
 
+            {
 
+                xss: true,
 
+                exp: "\"\".toString['\\u0063ons' + 'tructor']['\\u0063ons' + 'tructor']('alert(1)')()",
 
+                vm: {},
 
+                expectedValue: undefined
 
+            }
 
+        ]
 
 
 
         cases.forEach(describeCase)
 
         cases.forEach(describeCase)