-> v2.0.1

Author: Rich-Harris

CHANGELOG.md

@@ -1,5 +1,9 @@
 # devalue changelog
 
+## 2.0.1
+
+* Prevent regex XSS vulnerability in non-Node environments
+
 ## 2.0.0
 
 * Change license to MIT

package.json

@@ -1,7 +1,7 @@
 {
   "name": "devalue",
   "description": "Gets the job done when JSON.stringify can't",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "repository": "Rich-Harris/devalue",
   "main": "dist/devalue.umd.js",
   "module": "dist/devalue.esm.js",

src/index.ts

@@ -101,7 +101,7 @@ export default function devalue(value: any) {
 				return `Object(${stringify(thing.valueOf())})`;
 
 			case 'RegExp':
-				return thing.toString();
+				return `new RegExp(${stringifyString(thing.source)}, "${thing.flags}")`;
 
 			case 'Date':
 				return `new Date(${thing.getTime()})`;

test/test.ts

@@ -25,7 +25,7 @@ describe('devalue', () => {
 		test('null', null, 'null');
 		test('NaN', NaN, 'NaN');
 		test('Infinity', Infinity, 'Infinity');
-		test('RegExp', /regexp/img, '/regexp/gim');
+		test('RegExp', /regexp/img, 'new RegExp("regexp", "gim")');
 		test('Date', new Date(1e12), 'new Date(1000000000000)');
 		test('Array', ['a', 'b', 'c'], '["a","b","c"]');
 		test('Array (empty)', [], '[]');
@@ -92,7 +92,12 @@ describe('devalue', () => {
 			'Dangerous key',
 			{ '<svg onload=alert("xss_works")>': 'bar' },
 			'{"\\u003Csvg onload=alert(\\"xss_works\\")\\u003E":"bar"}'
-		)
+		);
+		test(
+			'Dangerous regex',
+			/[</script><script>alert('xss')//]/,
+			`new RegExp("[\\u003C\\\\\\u002Fscript\\u003E\\u003Cscript\\u003Ealert('xss')\\\\\\u002F\\\\\\u002F]", "")`
+		);
 	});
 
 	describe('misc', () => {