Skip to content
Permalink
Browse files
fix: fix potential xss vulnerability in ssr
  • Loading branch information
yyx990803 committed Aug 1, 2018
1 parent 2534219 commit c28f79290d57240c607d8cec3b3413b49702e1fb
Showing 4 changed files with 48 additions and 1 deletion.
@@ -14,6 +14,8 @@ import {
isFalsyAttrValue
} from 'web/util/attrs'

import { isSSRUnsafeAttr } from 'web/server/util'

export default function renderAttrs (node: VNodeWithData): string {
let attrs = node.data.attrs
let res = ''
@@ -34,6 +36,9 @@ export default function renderAttrs (node: VNodeWithData): string {
}

for (const key in attrs) {
if (isSSRUnsafeAttr(key)) {
continue
}
if (key === 'style') {
// leave it to the style module
continue
@@ -18,6 +18,11 @@ const isAttr = makeMap(
'target,title,type,usemap,value,width,wrap'
)

const unsafeAttrCharRE = /[>/="'\u0009\u000a\u000c\u0020]/
export const isSSRUnsafeAttr = name => {
return unsafeAttrCharRE.test(name)
}

/* istanbul ignore next */
const isRenderableAttr = (name: string): boolean => {
return (
@@ -1,6 +1,6 @@
/* @flow */

import { escape } from 'web/server/util'
import { escape, isSSRUnsafeAttr } from 'web/server/util'
import { isObject, extend } from 'shared/util'
import { renderAttr } from 'web/server/modules/attrs'
import { renderClass } from 'web/util/class'
@@ -109,6 +109,9 @@ function renderStringList (
function renderAttrs (obj: Object): string {
let res = ''
for (const key in obj) {
if (isSSRUnsafeAttr(key)) {
continue
}
res += renderAttr(key, obj[key])
}
return res
@@ -929,6 +929,40 @@ describe('SSR: renderToString', () => {
})
})

it('should prevent xss in attribute names', done => {
renderVmWithOptions({
data: {
xss: {
'foo="bar"></div><script>alert(1)</script>': ''
}
},
template: `
<div v-bind="xss"></div>
`
}, res => {
expect(res).not.toContain(`<script>alert(1)</script>`)
done()
})
})

it('should prevent xss in attribute names (optimized)', done => {
renderVmWithOptions({
data: {
xss: {
'foo="bar"></div><script>alert(1)</script>': ''
}
},
template: `
<div>
<a v-bind="xss">foo</a>
</div>
`
}, res => {
expect(res).not.toContain(`<script>alert(1)</script>`)
done()
})
})

it('should prevent script xss with v-bind object syntax + array value', done => {
renderVmWithOptions({
data: {

0 comments on commit c28f792

Please sign in to comment.