From ab29deed14e0b6d266fc5a90b8f46950ce096431 Mon Sep 17 00:00:00 2001
From: Yiyu He <dead_horse@qq.com>
Date: Sun, 15 Apr 2018 01:10:41 +0800
Subject: [PATCH] fix: set context data more safely (#14)

---
 lib/assets_context.js | 11 ++---------
 test/assets.test.js   | 20 ++++++++++----------
 2 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/lib/assets_context.js b/lib/assets_context.js
index 4b8fd18..e8387eb 100644
--- a/lib/assets_context.js
+++ b/lib/assets_context.js
@@ -48,7 +48,7 @@ class Assets {
   getContext(data) {
     data = safeStringify(data || this.assetsContext);
     let ret = `<div id="${CONTEXT_TEMPLATE_ID}" style="display:none">${data}</div>\n`;
-    ret += `<script>window.${this.config.contextKey} = JSON.parse(document.getElementById('${CONTEXT_TEMPLATE_ID}').textContent || '{}');</script>`;
+    ret += `<script>window.${this.config.contextKey} = JSON.parse(decodeURIComponent(window.atob(document.getElementById('${CONTEXT_TEMPLATE_ID}').textContent)) || '{}');</script>`;
     return ret;
   }
 
@@ -82,16 +82,9 @@ function scriptTpl({ url }) {
   return `<script src="${url}"></script>`;
 }
 
-const escapeMap = {
-  '<': '&lt;',
-  '>': '&gt;',
-};
 function safeStringify(data) {
   if (!data) return '';
-  return JSON.stringify(data)
-    .replace(/[<>]/g, function(ch) {
-      return escapeMap[ch];
-    });
+  return new Buffer(encodeURIComponent(JSON.stringify(data))).toString('base64');
 }
 
 function normalizePublicPath(publicPath) {
diff --git a/test/assets.test.js b/test/assets.test.js
index 979e2d0..7d7f36c 100644
--- a/test/assets.test.js
+++ b/test/assets.test.js
@@ -29,7 +29,7 @@ describe('test/assets.test.js', () => {
           .get('/')
           .expect(/<div id="root"><\/div>/)
           .expect(/<link rel="stylesheet" href="http:\/\/127.0.0.1:8000\/index.css"><\/link>/)
-          .expect(/style="display:none">{"data":1}<\/div>/)
+          .expect(/style="display:none">JTdCJTIyZGF0YSUyMiUzQTElN0Q=<\/div>/)
           .expect(/<script src="http:\/\/127.0.0.1:8000\/index.js"><\/script>/)
           .expect(/<script>window.__webpack_public_path__ = '\/';<\/script>/)
           .expect(200);
@@ -61,7 +61,7 @@ describe('test/assets.test.js', () => {
           .get('/')
           .expect(/<div id="root"><\/div>/)
           .expect(/<link rel="stylesheet" href="http:\/\/cdn.com\/app\/public\/index.b8e2efea.css"><\/link>/)
-          .expect(/style="display:none">{"data":1}<\/div>/)
+          .expect(/style="display:none">JTdCJTIyZGF0YSUyMiUzQTElN0Q=<\/div>/)
           .expect(/<script src="http:\/\/cdn.com\/app\/public\/index.c4ae6394.js"><\/script>/)
           .expect(/<script>window.__webpack_public_path__ = '\/app\/public\/';<\/script>/)
           .expect(200);
@@ -95,7 +95,7 @@ describe('test/assets.test.js', () => {
       it('should render context', () => {
         return app.httpRequest()
           .get('/context')
-          .expect(/style="display:none">{"data":1}<\/div>/)
+          .expect(/style="display:none">JTdCJTIyZGF0YSUyMiUzQTElN0Q=<\/div>/)
           .expect(200);
       });
 
@@ -104,7 +104,7 @@ describe('test/assets.test.js', () => {
           .get('/options')
           .expect(/<div id="root"><\/div>/)
           .expect(/<link rel="stylesheet" href="http:\/\/127.0.0.1:8000\/index.css"><\/link>/)
-          .expect(/style="display:none">{}<\/div>/)
+          .expect(/style="display:none">JTdCJTdE<\/div>/)
           .expect(/<script src="http:\/\/127.0.0.1:8000\/index.js"><\/script>/)
           .expect(200);
       });
@@ -115,14 +115,14 @@ describe('test/assets.test.js', () => {
 
         await app.httpRequest()
           .get('/cache')
-          .expect(/{"data":1}/)
+          .expect(/JTdCJTIyZGF0YSUyMiUzQTElN0Q=/)
           .expect(200);
 
         await fs.writeFile(template, 'override');
 
         await app.httpRequest()
           .get('/cache')
-          .expect(/{"data":1}/)
+          .expect(/JTdCJTIyZGF0YSUyMiUzQTElN0Q=/)
           .expect(200);
       });
 
@@ -173,7 +173,7 @@ describe('test/assets.test.js', () => {
         return app.httpRequest()
           .get('/')
           .expect(/<link rel="stylesheet" href="http:\/\/127.0.0.1:8000\/index.css"><\/link>/)
-          .expect(/style="display:none">{"data":1}<\/div>/)
+          .expect(/style="display:none">JTdCJTIyZGF0YSUyMiUzQTElN0Q=<\/div>/)
           .expect(/<script src="http:\/\/127.0.0.1:8000\/index.js"><\/script>/)
           .expect(/<script>window.__webpack_public_path__ = '\/';<\/script>/)
           .expect(/<script>window.resourceBaseUrl = 'http:\/\/127.0.0.1:8000\/';<\/script/)
@@ -195,7 +195,7 @@ describe('test/assets.test.js', () => {
         return app.httpRequest()
           .get('/')
           .expect(/<link rel="stylesheet" href="http:\/\/cdn.com\/app\/public\/index.b8e2efea.css"><\/link>/)
-          .expect(/style="display:none">{"data":1}<\/div>/)
+          .expect(/style="display:none">JTdCJTIyZGF0YSUyMiUzQTElN0Q=<\/div>/)
           .expect(/<script src="http:\/\/cdn.com\/app\/public\/index.c4ae6394.js"><\/script>/)
           .expect(/<script>window.__webpack_public_path__ = '\/app\/public\/';<\/script>/)
           .expect(/<script>window.resourceBaseUrl = 'http:\/\/cdn.com\/app\/public\/';<\/script/)
@@ -258,8 +258,8 @@ describe('test/assets.test.js', () => {
     it('should GET /', () => {
       return app.httpRequest()
         .get('/?query=<x%E2%80%A8x>')
-        .expect(/<div id="[^"]+" style="display:none">\{"query":"&lt;x\u2028x&gt;"\}<\/div>/)
-        .expect(/window.context = JSON.parse\(document.getElementById\('[^']+'\).textContent \|\| '\{\}'\);/)
+        .expect(/<div id="[^"]+" style="display:none">JTdCJTIycXVlcnklMjIlM0ElMjIlM0N4JUUyJTgwJUE4eCUzRSUyMiU3RA==<\/div>/)
+        .expect(/window\.context = JSON\.parse\(decodeURIComponent\(window\.atob\(document\.getElementById\('[^']+'\).textContent\)\) \|\| '\{\}'\);/)
         .expect(200);
     });
   });