Skip to content

Unsafe Regex #7

Closed
e2b opened this Issue Jan 25, 2013 · 5 comments

2 participants

@e2b
Collaborator
e2b commented Jan 25, 2013

The used regular expressions are problematic and will easily break the VM. Here some points:

  • Greedy wildcard matching (.+) instead of a non-greedy one (.+?). This will skip the end tag if another one follows, e.g. <%= var %> foo <%= bar %> becomes print(var %> foo <%= bar);
  • Hardcoded end tag (should be a variable)
  • Can't handle multiline JavaScript in the template tags
  • Can't handle double quotes within JavaScript in the template tags

I'm currently working on a commit, hopefully resolving all bugs. Pull request follows.

Also you might consider releasing a new version of parrot, since the 0.3.0 that can be downloaded via npm is outdated.

@ollym
Owner
ollym commented Jan 25, 2013

I agree with all those points, I haven't done anything with this project for... months! I'd also like to change a lot of the syntax. Currently it follows a PHP-like syntax with ERB handlers, I'd rather make a complete transition to ERB-like syntax and support CoffeeScript.

However I no longer have a use for this project so welcome any contributions.

Let me know your thoughts / concerns.

@e2b e2b added a commit to e2b/parrot that referenced this issue Jan 25, 2013
@e2b e2b fixed/improved the Regex part, see #7 d0035a1
@e2b
Collaborator
e2b commented Jan 25, 2013

Well, I just use parrot in a small project, for separating the template from the code. Other template engines come with more complex logic and id matching etc., but I'm quite happy with inserting variables or defining simple logic inline. Therefore I've spend some time on fixing/improving this (#8). Now works like I expect it. :-)

@ollym
Owner
ollym commented Jan 25, 2013

Thanks for your hard work, I've added you as a contributor to the project to continue its legacy as you see fit as I no longer have the time to maintain it. Long live oss!

@e2b
Collaborator
e2b commented Jan 25, 2013

Thanks for your confidence. But you might still handle the update for the npm repository, since I'm not really aware of how it works. I just changed the version to 0.3.1 in the codebase and also created a corresponding tag.

@e2b
Collaborator
e2b commented Jan 28, 2013

npm is updated to 0.3.1. Thanks.

@e2b e2b closed this Jan 28, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.