Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Issues #18

merged 2 commits into from Oct 5, 2017

Security Issues #18

merged 2 commits into from Oct 5, 2017


Copy link

@matt- matt- commented Oct 5, 2017

This should address the unsafe code in ExpressionStatement / FunctionExpression blocks:

var src = '(function(){console.log(})()';

As well as the issue described at #4. The current fix for this is to not all any member expressions to resolve from a function.

[1,2,3].map // will be allowed
[1,2,3].map.constructor // should be blocked

I believe the next step should be to try to refactor out the dynamic Function call completely.

@substack substack merged commit fca6227 into browserify:master Oct 5, 2017
Copy link

@substack substack commented Oct 5, 2017

Thanks for the patch. I've released this as 2.0.0 because there are some package such as static-module that break with these changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants