Fix #11: Support double quotes in strings #12
Conversation
|
Looks good to me! Just give me some more time to read the code properly before merging. |
src/filtrex.js
Outdated
| ); | ||
| return "STRING";` | ||
| ], // "foo" | ||
| ['"(?:\\\\"|[^"])*"', 'return "STRING";'], // "foo" |
There was a problem hiding this comment.
Your regex also matches "a\" as a legit string. The not-char pattern should be something like [^"\\] instead of [^"]. This can be used as an exploit, because the next string would be actually executed as JavaScript:
"a\" == "; window.p0wned = true; //"
Also, can you guarantee that removing the JSON.stringify won't result in any malicious code? We know that everything that comes out of stringify is safe. But how can we be sure every match of your regex is safe? (After fixing the previous bug, of course, now it obviously isn't safe.)
|
I've found a potential security bug in your code, please be sure to fix it before I merge the PR. |
This reverts commit dd9510f.
|
Thanks for the detailed explanation! I added tests for these specific cases, but actually the regex was already not vulnerable to this. It seems to me this was because the first alternative in the parentheses ( Even so, it is true the regex would pretty much allow all JS escape codes to sneak in. I did not see much issue with this, though I admit I can also not guarantee it to be safe. So I have tightened the regex, so that only Adding |
|
Thank you! |
|
@arendjr Don't you mind being added to the list of contributors in README? |
|
Not at all 👍 |
This PR makes it possible to use double quotes inside strings, provided they're escaped with a preceding backslash.
Please note this PR could be considered breaking, as literal backslashes will now be interpreted as escape characters.