Using a replace function instead #335

Merged
merged 1 commit into from Jan 31, 2014

Projects

None yet

2 participants

@jonrohan
Member

@masatokinugawa was so kind to email us about a security vulnerability.

This pull implements his suggestion of using a replace(/\\/g,"\\\\") instead of split("\").join("\\")

@JamesMGreene @ptoomey3 @jnewland @mastahyeti

@JamesMGreene
Member

Interesting and annoying. Big thanks to @masatokinugawa, though!

I can write up a complementary PR for something I was working on locally, too, which ignores all loaderInfo.parameters whose keys are in the SWF query parameters.

@JamesMGreene
Member

Rebuilt and squashed.

@jonrohan
Member

thanks @JamesMGreene 👍

@JamesMGreene JamesMGreene merged commit 2f9eb97 into master Jan 31, 2014
@JamesMGreene
Member

I'll merge it back into the 1.x-master branch in a minute here and tag a new release for you guys.

@jonrohan jonrohan deleted the xss-vunl branch Jan 31, 2014
@jonrohan jonrohan restored the xss-vunl branch Jan 31, 2014
@JamesMGreene JamesMGreene deleted the xss-vunl branch Jan 31, 2014
@JamesMGreene
Member

Tagged: v1.3.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment