This repository has been archived by the owner on Apr 12, 2024. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor($parse): move around previous security changes made to $parse
- Loading branch information
1 parent
6081f20
commit db713a1
Showing
4 changed files
with
146 additions
and
204 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,18 +1,27 @@ | ||
@ngdoc error | ||
@name $parse:isecfld | ||
@fullName Referencing 'constructor' Field in Expression | ||
@fullName Referencing Disallowed Field in Expression | ||
@description | ||
|
||
Occurs when an expression attempts to access an objects constructor field. | ||
Occurs when an expression attempts to access one of the following fields: | ||
|
||
AngularJS bans constructor access from within expressions since constructor | ||
access is a known way to execute arbitrary Javascript code. | ||
* __proto__ | ||
* __defineGetter__ | ||
* __defineSetter__ | ||
* __lookupGetter__ | ||
* __lookupSetter__ | ||
|
||
To resolve this error, avoid constructor access. As a last resort, alias | ||
the constructor and access it through the alias instead. | ||
AngularJS bans access to these fields from within expressions since | ||
access is a known way to mess with native objects or | ||
to execute arbitrary Javascript code. | ||
|
||
Example expression that would result in this error: | ||
To resolve this error, avoid using these fields in expressions. As a last resort, | ||
alias their value and access them through the alias instead. | ||
|
||
Example expressions that would result in this error: | ||
|
||
``` | ||
<div>{{user.constructor.name}}</div> | ||
``` | ||
<div>{{user.__proto__.hasOwnProperty = $emit}}</div> | ||
|
||
<div>{{user.__defineGetter__('name', noop)}}</div> | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
@ngdoc error | ||
@name $parse:isecobj | ||
@fullName Referencing Object Disallowed | ||
@description | ||
|
||
Occurs when an expression attempts to access the 'Object' object (Root object in JavaScript). | ||
|
||
Angular bans access to Object from within expressions since access is a known way to modify | ||
the behaviour of existing objects. | ||
|
||
To resolve this error, avoid Object access. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.