Bugfix to avoid code injection when eval()

floatinghotpot · Apr 8, 2016 · 8bb3552 · 8bb3552
1 parent 9ca2934
commit 8bb3552
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/mixin.js b/mixin.js
@@ -157,6 +157,9 @@ function mixin(base, mixin) {
 }
 
 function mixin_constructor(name, ctor) {
+  // validate base name to avoid evil code injection
+  if(!/^[$A-Z_][0-9A-Z_$]*$/i.test(name)) return;
+
   var str = "function __ctor() { var c = ctor.constructors; for (var i in c) { c[i].apply(this, arguments); } };".replace(/__ctor/g, name);
   eval(str);
   return eval(name);

diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "mixin-pro",
   "description": "Javascript multi-inheritance with mixin for code reuse",
-  "version": "0.6.6",
+  "version": "0.6.7",
   "author": "Raymond Xie <rjfun.mobile@gmail.com>",
   "repository": {
     "type": "git",