Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stringify things before calling escapeHtml on them in case their stringified representation contains HTML #534

Merged
merged 1 commit into from
Jan 27, 2015
Merged

Stringify things before calling escapeHtml on them in case their stringified representation contains HTML #534

merged 1 commit into from
Jan 27, 2015

Conversation

sethkinast
Copy link
Contributor

This prevents a potential XSS attack.

Closes #449

@smfoote
Copy link
Contributor

smfoote commented Jan 10, 2015

Looks good.

jimmyhchan
jimmyhchan reviewed Jan 10, 2015
View reviewed changes
lib/dust.js
@@ -849,7 +849,10 @@
SQUOT = /\'/g;

dust.escapeHtml = function(s) {
if (typeof s === 'string') {
if (typeof s === "string" || (s && s.toString)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be too paranoid to do:

typeof s === 'object' && Array.prototype.toString.call(s)

I'm not sure what happens if s is an object with the key toString or a function literal... it's a similar problem to context = [] and we try to reference context.sort . mildly related to #469

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's actually an intended case. If an Object has a toString method, I
want to invoke it. That gives you the potential to output a stringified
version of your special object as a Dust reference instead of getting
[object Object]

If you're worried about Objects having a property called toString, I
could additionally check that toString is a function first.

On Fri, Jan 9, 2015 at 5:09 PM, jimmyhchan notifications@github.com wrote:

In lib/dust.js
#534 (diff):

@@ -849,7 +849,10 @@
SQUOT = /'/g;

dust.escapeHtml = function(s) {

  • if (typeof s === 'string') {
  • if (typeof s === "string" || (s && s.toString)) {

would it be too paranoid to do:

typeof s === 'object' && Array.prototype.toString.call(s)

I'm not sure what happens if s is an object with the key toString or a
function literal... it's a similar problem to context = [] and we try to
reference context.sort . mildly related to #469
#469


Reply to this email directly or view it on GitHub
https://github.com/linkedin/dustjs/pull/534/files#r22754126.

Seth Kinast
http://sethkinast.com/

Stringify things before calling escapeHtml on them in case their stri…
884be3b 
…ngified representation contains HTML.

This prevents a potential XSS attack.

Closes linkedin#449
@sethkinast
Copy link
Contributor Author

Updated to make sure .toString is a function and not just a property.

prashn64 added a commit that referenced this pull request Jan 27, 2015
@prashn64
Merge pull request #534 from sethkinast/escape-arrays
40f6b9b 
Stringify things before calling escapeHtml on them in case their stringified representation contains HTML
@prashn64 prashn64 merged commit 40f6b9b into linkedin:master Jan 27, 2015
@sethkinast sethkinast deleted the escape-arrays branch March 3, 2015 19:23
@github-actions github-actions bot mentioned this pull request Jun 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Html entities are decoded in array but not in string
4 participants
@sethkinast @smfoote @jimmyhchan @prashn64