File tree Expand file tree Collapse file tree 2 files changed +15
-5
lines changed Expand file tree Collapse file tree 2 files changed +15
-5
lines changed Original file line number Diff line number Diff line change @@ -14821,11 +14821,11 @@
1482114821
1482214822 // Use a sourceURL for easier debugging.
1482314823 // The sourceURL gets injected into the source that's eval-ed, so be careful
14824- // with lookup (in case of e.g. prototype pollution), and strip newlines if any.
14825- // A newline wouldn't be a valid sourceURL anyway, and it'd enable code injection .
14824+ // to normalize all kinds of whitespace, so e.g. newlines ( and unicode versions of it) can't sneak in
14825+ // and escape the comment, thus injecting code that gets evaled .
1482614826 var sourceURL = '//# sourceURL=' +
1482714827 (hasOwnProperty.call(options, 'sourceURL')
14828- ? (options.sourceURL + '').replace(/[\r\n] /g, ' ')
14828+ ? (options.sourceURL + '').replace(/\s /g, ' ')
1482914829 : ('lodash.templateSources[' + (++templateCounter) + ']')
1483014830 ) + '\n';
1483114831
1485814858
1485914859 // If `variable` is not specified wrap a with-statement around the generated
1486014860 // code to add the data object to the top of the scope chain.
14861- // Like with sourceURL, we take care to not check the option's prototype,
14862- // as this configuration is a code injection vector.
1486314861 var variable = hasOwnProperty.call(options, 'variable') && options.variable;
1486414862 if (!variable) {
1486514863 s
BCB6
ource = 'with (obj) {\n' + source + '\n}\n';
Original file line number Diff line number Diff line change 2264122641 assert.deepEqual(actual, expected);
2264222642 });
2264322643
22644+ QUnit.test('should not let a sourceURL inject code', function(assert) {
22645+ assert.expect(1);
22646+
22647+ var actual,
22648+ expected = 'no error';
22649+ try {
22650+ actual = _.template(expected, {'sourceURL': '\u2028\u2029\n!this would err if it was executed!'})();
22651+ } catch (e) {}
22652+
22653+ assert.equal(actual, expected);
22654+ });
22655+
2264422656 QUnit.test('should work as an iteratee for methods like `_.map`', function(assert) {
2264522657 assert.expect(1);
2264622658
You can’t perform that action at this time.
0 commit comments