Skip to content
This repository was archived by the owner on Feb 16, 2021. It is now read-only.

Using a replace function instead #335

Merged
merged 1 commit into from
Jan 31, 2014
Merged

Using a replace function instead #335

merged 1 commit into from
Jan 31, 2014

Conversation

jonrohan
Copy link
Contributor

@masatokinugawa was so kind to email us about a security vulnerability.

This pull implements his suggestion of using a replace(/\\/g,"\\\\") instead of split("\").join("\\")

@JamesMGreene @ptoomey3 @jnewland @mastahyeti

@JamesMGreene
Copy link
Member

Interesting and annoying. Big thanks to @masatokinugawa, though!

I can write up a complementary PR for something I was working on locally, too, which ignores all loaderInfo.parameters whose keys are in the SWF query parameters.

@JamesMGreene
Copy link
Member

Rebuilt and squashed.

@jonrohan
Copy link
Contributor Author

thanks @JamesMGreene 👍

@JamesMGreene JamesMGreene merged commit 2f9eb97 into master Jan 31, 2014
@JamesMGreene
Copy link
Member

I'll merge it back into the 1.x-master branch in a minute here and tag a new release for you guys.

@jonrohan jonrohan deleted the xss-vunl branch January 31, 2014 18:05
@jonrohan jonrohan restored the xss-vunl branch January 31, 2014 18:07
@JamesMGreene JamesMGreene deleted the xss-vunl branch January 31, 2014 18:09
@JamesMGreene
Copy link
Member

Tagged: v1.3.2

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants