We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
There was an error while loading. Please reload this page.
1 parent fe3d061 commit 751ed46Copy full SHA for 751ed46
test/test.ts
@@ -88,6 +88,11 @@ describe('devalue', () => {
88
`</script><script src='https://evil.com/script.js'>alert('pwned')</script><script>`,
89
`"\\u003C\\u002Fscript\\u003E\\u003Cscript src='https:\\u002F\\u002Fevil.com\\u002Fscript.js'\\u003Ealert('pwned')\\u003C\\u002Fscript\\u003E\\u003Cscript\\u003E"`
90
);
91
+ test(
92
+ 'Dangerous key',
93
+ { '<svg onload=alert("xss_works")>': 'bar' },
94
+ '{"\\\\u003Csvg onload=alert(\\"xss_works\\")\\\\u003E":"bar"}'
95
+ )
96
});
97
98
describe('misc', () => {
@@ -109,4 +114,4 @@ describe('devalue', () => {
109
114
assert.throws(() => devalue({ [Symbol()]: null }));
110
115
111
116
112
-});
117
+});
0 commit comments