Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: Cross-Site Scripting vulnerability reported by Snyk security team
  • Loading branch information
thetutlage committed Sep 4, 2021
1 parent 8f53d43 commit fa2c7fd
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 10 deletions.
2 changes: 1 addition & 1 deletion src/Contracts/index.ts
Expand Up @@ -207,7 +207,7 @@ export interface TemplateContract {
/**
* Escape input
*/
escape<T>(input: T): T
escape(input: any): string

/**
* Rethrow exceptions by pointing back to edge source file and line number
Expand Down
10 changes: 3 additions & 7 deletions src/Template/index.ts
Expand Up @@ -28,12 +28,8 @@ export class SafeValue {
/**
* Escapes a given string
*/
export function escape<T>(input: T): T extends SafeValue ? T['value'] : T {
return typeof input === 'string'
? string.escapeHTML(input)
: input instanceof SafeValue
? input.value
: input
export function escape(input: any): string {
return input instanceof SafeValue ? input.value : string.escapeHTML(String(input))
}

/**
Expand Down Expand Up @@ -197,7 +193,7 @@ export class Template extends Macroable implements TemplateContract {
* Escapes the value to be HTML safe. Only strings are escaped
* and rest all values will be returned as it is.
*/
public escape<T>(input: T): T extends SafeValue ? T['value'] : T {
public escape(input: any): string {
return escape(input)
}

Expand Down
25 changes: 23 additions & 2 deletions test/template.spec.ts
Expand Up @@ -140,11 +140,11 @@ test.group('Template', (group) => {
assert.equal(template.escape('<h2> Hello world </h2>'), '&lt;h2&gt; Hello world &lt;/h2&gt;')
})

test('do not escape values, which are not string', (assert) => {
test('stringify value during escape', (assert) => {
const processor = new Processor()
const compiler = new Compiler(loader, tags, processor, { cache: false })
const template = new Template(compiler, {}, {}, processor)
assert.equal(template.escape(22), 22)
assert.equal(template.escape(22), '22')
})

test('do not escape values, which instance of safe value', (assert) => {
Expand All @@ -154,6 +154,27 @@ test.group('Template', (group) => {
assert.equal(template.escape(safeValue('<h2> Hello world </h2>')), '<h2> Hello world </h2>')
})

test('stringify array before escape', (assert) => {
const processor = new Processor()
const compiler = new Compiler(loader, tags, processor, { cache: false })
const template = new Template(compiler, {}, {}, processor)
assert.equal(template.escape(['<h2> Hello world </h2>']), '&lt;h2&gt; Hello world &lt;/h2&gt;')
})

test('stringify object before escape', (assert) => {
const processor = new Processor()
const compiler = new Compiler(loader, tags, processor, { cache: false })
const template = new Template(compiler, {}, {}, processor)
assert.equal(
template.escape({
toString() {
return '<h2> Hello world </h2>'
},
}),
'&lt;h2&gt; Hello world &lt;/h2&gt;'
)
})

test('add macros to context', (assert) => {
Template.macro('upper', (username) => {
return username.toUpperCase()
Expand Down

0 comments on commit fa2c7fd

Please sign in to comment.