Merge pull request #2 from Rich-Harris/gh-1

Rich-Harris · web-flow · commit 52e3326e0ef7 · 2018-03-10T18:46:24.000-05:00
guard against XSS
diff --git a/src/index.ts b/src/index.ts
@@ -1,16 +1,7 @@
 const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_$';
 const reserved = /^(?:do|if|in|for|int|let|new|try|var|byte|case|char|else|enum|goto|long|this|void|with|await|break|catch|class|const|final|float|short|super|throw|while|yield|delete|double|export|import|native|return|switch|throws|typeof|boolean|default|extends|finally|package|private|abstract|continue|debugger|function|volatile|interface|protected|transient|implements|instanceof|synchronized)$/;
-
-function getName(num: number) {
-	let name = '';
-
-	do {
-		name = chars[num % chars.length] + name;
-		num = ~~(num / chars.length) - 1;
-	} while (num >= 0);
-
-	return reserved.test(name) ? `${name}_` : name;
-}
+const unsafe = /[<>\/\u2028\u2029]/g;
+const escaped: Record<string, string> = { '<': '\\u003C', '>' : '\\u003E', '/': '\\u002F', '\u2028': '\\u2028', '\u2029': '\\u2029' };
 
 export default function devalue(value: any) {
 	const repeated = new Map();
@@ -173,12 +164,27 @@ export default function devalue(value: any) {
 	}
 }
 
+function getName(num: number) {
+	let name = '';
+
+	do {
+		name = chars[num % chars.length] + name;
+		num = ~~(num / chars.length) - 1;
+	} while (num >= 0);
+
+	return reserved.test(name) ? `${name}_` : name;
+}
+
 function isPrimitive(thing: any) {
 	return Object(thing) !== thing;
 }
 
+function escape(char: string) {
+	return escaped[char];
+}
+
 function stringifyPrimitive(thing: any) {
-	if (typeof thing === 'string') return JSON.stringify(thing);
+	if (typeof thing === 'string') return JSON.stringify(thing).replace(unsafe, escape);
 	if (thing === void 0) return 'void 0';
 	if (thing === 0 && 1 / thing < 0) return '-0';
 	return String(thing);
diff --git a/test/test.ts b/test/test.ts
@@ -66,6 +66,14 @@ describe('devalue', () => {
 		test('String (repetition)', [str, str], `(function(a){return [a,a]}("a string"))`);
 	});
 
+	describe('XSS', () => {
+		test(
+			'Dangerous string',
+			`</script><script src='https://evil.com/script.js'>alert('pwned')</script><script>`,
+			`"\\u003C\\u002Fscript\\u003E\\u003Cscript src='https:\\u002F\\u002Fevil.com\\u002Fscript.js'\\u003Ealert('pwned')\\u003C\\u002Fscript\\u003E\\u003Cscript\\u003E"`
+		);
+	});
+
 	describe('misc', () => {
 		test('Object without prototype', Object.create(null), 'Object.create(null)');
 
