From 5fe8fcf514d2752b2dd43fd21d7fb97e8a5e023f Mon Sep 17 00:00:00 2001 From: Sven Tschui Date: Sun, 12 May 2019 22:36:59 +0200 Subject: [PATCH 1/4] Make JSON injection prevention hot loader compliant --- mangle.json | 3 ++- src/create-element.js | 2 +- src/diff/index.js | 6 +++--- test/shared/createElement.test.js | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/mangle.json b/mangle.json index 0a30183bbc9..e23e01fa811 100644 --- a/mangle.json +++ b/mangle.json @@ -34,7 +34,8 @@ "$_defaultValue": "__p", "$_id": "__c", "$_parentDom": "__P", - "$_self": "_" + "$_self": "_", + "$__self": "__" } } } \ No newline at end of file diff --git a/src/create-element.js b/src/create-element.js index 1b7813f65f7..d4ce2158452 100644 --- a/src/create-element.js +++ b/src/create-element.js @@ -62,7 +62,7 @@ export function createVNode(type, props, key, ref) { _lastDomChild: null, _component: null }; - vnode._self = vnode; + vnode._self = vnode.__self = {}; if (options.vnode) options.vnode(vnode); diff --git a/src/diff/index.js b/src/diff/index.js index be14cf60c68..69a803335c9 100644 --- a/src/diff/index.js +++ b/src/diff/index.js @@ -34,10 +34,10 @@ export function diff(parentDom, newVNode, oldVNode, context, isSvg, excessDomChi let c, tmp, isNew, oldProps, oldState, snapshot, newType = newVNode.type, clearProcessingException; - // When passing through createElement it assigns the object - // ref on _self, to prevent JSON Injection we check if this attribute + // When passing through createElement it assigns an object + // ref on _self and __self, to prevent JSON Injection we check if this attribute // is equal. - if (newVNode._self!==newVNode) return null; + if (newVNode._self!==newVNode.__self) return null; if (tmp = options.diff) tmp(newVNode); diff --git a/test/shared/createElement.test.js b/test/shared/createElement.test.js index d937fb78ae3..894eec069eb 100644 --- a/test/shared/createElement.test.js +++ b/test/shared/createElement.test.js @@ -34,7 +34,7 @@ describe('createElement(jsx)', () => { it('should set VNode._self property to prevent json injection', () => { const vnode = ; - expect(vnode._self).to.equal(vnode); + expect(vnode._self).to.equal(vnode.__self); }); it('should set VNode#props property', () => { From 28b816ded288234c428176b2b8c850851b04c756 Mon Sep 17 00:00:00 2001 From: Sven Tschui Date: Sun, 12 May 2019 22:52:47 +0200 Subject: [PATCH 2/4] Use EMPTY_OBJECT as proposed by @JoviDeCroock --- mangle.json | 3 +-- src/create-element.js | 3 ++- src/diff/index.js | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/mangle.json b/mangle.json index e23e01fa811..0a30183bbc9 100644 --- a/mangle.json +++ b/mangle.json @@ -34,8 +34,7 @@ "$_defaultValue": "__p", "$_id": "__c", "$_parentDom": "__P", - "$_self": "_", - "$__self": "__" + "$_self": "_" } } } \ No newline at end of file diff --git a/src/create-element.js b/src/create-element.js index d4ce2158452..330ccfd9155 100644 --- a/src/create-element.js +++ b/src/create-element.js @@ -1,5 +1,6 @@ import options from './options'; import { assign } from './util'; +import { EMPTY_OBJ } from './constants'; /** * Create an virtual node (used for JSX) @@ -62,7 +63,7 @@ export function createVNode(type, props, key, ref) { _lastDomChild: null, _component: null }; - vnode._self = vnode.__self = {}; + vnode._self = EMPTY_OBJ; if (options.vnode) options.vnode(vnode); diff --git a/src/diff/index.js b/src/diff/index.js index 69a803335c9..cb7dc2d0d8b 100644 --- a/src/diff/index.js +++ b/src/diff/index.js @@ -37,7 +37,7 @@ export function diff(parentDom, newVNode, oldVNode, context, isSvg, excessDomChi // When passing through createElement it assigns an object // ref on _self and __self, to prevent JSON Injection we check if this attribute // is equal. - if (newVNode._self!==newVNode.__self) return null; + if (newVNode._self!==EMPTY_OBJ) return null; if (tmp = options.diff) tmp(newVNode); From 0e3b5aabb2459178f97b6f8a349e970ee6976261 Mon Sep 17 00:00:00 2001 From: Sven Tschui Date: Sun, 12 May 2019 22:57:05 +0200 Subject: [PATCH 3/4] =?UTF-8?q?Commit=20lost=20test=20=F0=9F=A4=A6?= =?UTF-8?q?=E2=80=8D=E2=99=82=EF=B8=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- test/shared/createElement.test.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/shared/createElement.test.js b/test/shared/createElement.test.js index 894eec069eb..3e0261f18ff 100644 --- a/test/shared/createElement.test.js +++ b/test/shared/createElement.test.js @@ -1,6 +1,7 @@ import { createElement as h } from '../../src/index'; // import { VNode } from '../../src/vnode'; import { expect } from 'chai'; +import { EMPTY_OBJ } from '../../src/constants'; /*eslint-env browser, mocha */ @@ -34,7 +35,7 @@ describe('createElement(jsx)', () => { it('should set VNode._self property to prevent json injection', () => { const vnode = ; - expect(vnode._self).to.equal(vnode.__self); + expect(vnode._self).to.equal(EMPTY_OBJ); }); it('should set VNode#props property', () => { From dabbf8daff0fc90b2b81762ff06e51e3c95c22c4 Mon Sep 17 00:00:00 2001 From: Sven Tschui Date: Sun, 12 May 2019 22:58:44 +0200 Subject: [PATCH 4/4] Fix comment --- src/diff/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/diff/index.js b/src/diff/index.js index cb7dc2d0d8b..13a23a09077 100644 --- a/src/diff/index.js +++ b/src/diff/index.js @@ -35,7 +35,7 @@ export function diff(parentDom, newVNode, oldVNode, context, isSvg, excessDomChi newType = newVNode.type, clearProcessingException; // When passing through createElement it assigns an object - // ref on _self and __self, to prevent JSON Injection we check if this attribute + // ref on _self, to prevent JSON Injection we check if this attribute // is equal. if (newVNode._self!==EMPTY_OBJ) return null;