File tree Expand file tree Collapse file tree 2 files changed +18
-4
lines changed Expand file tree Collapse file tree 2 files changed +18
-4
lines changed Original file line number Diff line number Diff line change 11const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_$' ;
2+ const unsafeChars = / [ < > \b \f \n \r \t \0 \u2028 \u2029 ] / g;
23const reserved = / ^ (?: d o | i f | i n | f o r | i n t | l e t | n e w | t r y | v a r | b y t e | c a s e | c h a r | e l s e | e n u m | g o t o | l o n g | t h i s | v o i d | w i t h | a w a i t | b r e a k | c a t c h | c l a s s | c o n s t | f i n a l | f l o a t | s h o r t | s u p e r | t h r o w | w h i l e | y i e l d | d e l e t e | d o u b l e | e x p o r t | i m p o r t | n a t i v e | r e t u r n | s w i t c h | t h r o w s | t y p e o f | b o o l e a n | d e f a u l t | e x t e n d s | f i n a l l y | p a c k a g e | p r i v a t e | a b s t r a c t | c o n t i n u e | d e b u g g e r | f u n c t i o n | v o l a t i l e | i n t e r f a c e | p r o t e c t e d | t r a n s i e n t | i m p l e m e n t s | i n s t a n c e o f | s y n c h r o n i z e d ) $ / ;
34const escaped : Record < string , string > = {
45 '<' : '\\u003C' ,
@@ -220,12 +221,20 @@ function getType(thing: any) {
220221 return Object . prototype . toString . call ( thing ) . slice ( 8 , - 1 ) ;
221222}
222223
224+ function escapeUnsafeChar ( c : string ) {
225+ return escaped [ c ] || c
226+ }
227+
228+ function escapeUnsafeChars ( str : string ) {
229+ return str . replace ( unsafeChars , escapeUnsafeChar )
230+ }
231+
223232function safeKey ( key : string ) {
224- return / ^ [ _ $ a - z A - Z ] [ _ $ a - z A - Z 0 - 9 ] * $ / . test ( key ) ? key : JSON . stringify ( key ) ;
233+ return / ^ [ _ $ a - z A - Z ] [ _ $ a - z A - Z 0 - 9 ] * $ / . test ( key ) ? key : escapeUnsafeChars ( JSON . stringify ( key ) ) ;
225234}
226235
227236function safeProp ( key : string ) {
228- return / ^ [ _ $ a - z A - Z ] [ _ $ a - z A - Z 0 - 9 ] * $ / . test ( key ) ? `.${ key } : `[${ JSON . stringify ( key ) } ;
237+ return / ^ [ _ $ a - z A - Z ] [ _ $ a - z A - Z 0 - 9 ] * $ / . test ( key ) ? `.${ key } : `[${ escapeUnsafeChars ( JSON . stringify ( key ) ) } ;
229238}
230239
231240function stringifyString ( str : string ) {
@@ -256,4 +265,4 @@ function stringifyString(str: string) {
256265
257266 result += '"' ;
258267 return result ;
259- }
268+ }
Original file line number Diff line number Diff line change @@ -88,6 +88,11 @@ describe('devalue', () => {
8888 `</script><script src='https://evil.com/script.js'>alert('pwned')</script><script>` ,
8989 `"\\u003C\\u002Fscript\\u003E\\u003Cscript src='https:\\u002F\\u002Fevil.com\\u002Fscript.js'\\u003Ealert('pwned')\\u003C\\u002Fscript\\u003E\\u003Cscript\\u003E"`
9090 ) ;
91+ test (
92+ 'Dangerous key' ,
93+ { '<svg onload=alert("xss_works")>' : 'bar' } ,
94+ '{"\\u003Csvg onload=alert(\\"xss_works\\")\\u003E":"bar"}'
95+ )
9196 } ) ;
9297
9398 describe ( 'misc' , ( ) => {
@@ -109,4 +114,4 @@ describe('devalue', () => {
109114 assert . throws ( ( ) => devalue ( { [ Symbol ( ) ] : null } ) ) ;
110115 } ) ;
111116 } ) ;
112- } ) ;
117+ } ) ;
You can’t perform that action at this time.
0 commit comments