Merge pull request #1623 from sveltejs/CVE-2018-6341

Sanitize spread attributes in SSR
7 years ago · 065d0f7411
parent e1c5eba3cc 45c52c5eb2
commit 065d0f7411
6 changed files with 48 additions and 2 deletions
--- a/src/compile/Compiler.ts
+++ b/src/compile/Compiler.ts
@ -310,7 +310,7 @@ export default class Compiler {
 						: `_svelteTransitionManager`;
 					inlineHelpers += `\n\nvar ${this.alias(name)} = window.${global} || (window.${global} = ${code});\n\n`;
-				} else if (name === 'escaped' || name === 'missingComponent') {
+				} else if (name === 'escaped' || name === 'missingComponent' || name === 'invalidAttributeNameCharacter') {
 					// vars are an awkward special case... would be nice to avoid this
 					const alias = this.alias(name);
 					inlineHelpers += `\n\nconst ${alias} = ${code};`
--- a/src/shared/ssr.js
+++ b/src/shared/ssr.js
@ -1,12 +1,23 @@
 // https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
 // https://infra.spec.whatwg.org/#noncharacter
 export const invalidAttributeNameCharacter = /[\s'"<\/=\u{FDD0}-\u{FDEF}\u{FFFE}\u{FFFF}\u{1FFFE}\u{1FFFF}\u{2FFFE}\u{2FFFF}\u{3FFFE}\u{3FFFF}\u{4FFFE}\u{4FFFF}\u{5FFFE}\u{5FFFF}\u{6FFFE}\u{6FFFF}\u{7FFFE}\u{7FFFF}\u{8FFFE}\u{8FFFF}\u{9FFFE}\u{9FFFF}\u{AFFFE}\u{AFFFF}\u{BFFFE}\u{BFFFF}\u{CFFFE}\u{CFFFF}\u{DFFFE}\u{DFFFF}\u{EFFFE}\u{EFFFF}\u{FFFFE}\u{FFFFF}\u{10FFFE}\u{10FFFF}]/u;
 export function spread(args) {
 	const attributes = Object.assign({}, ...args);
 	let str = '';
 	Object.keys(attributes).forEach(name => {
 		if (invalidAttributeNameCharacter.test(name)) return;
 		const value = attributes[name];
 		if (value === undefined) return;
 		if (value === true) str += " " + name;
-		str += " " + name + "=" + JSON.stringify(value);
+
 		const escaped = String(value)
 			.replace(/"/g, '&#34;')
 			.replace(/'/g, '&#39;');
 		str += " " + name + "=" + JSON.stringify(escaped);
 	});
 	return str;
--- a/test/server-side-rendering/samples/attribute-escaped-quotes-spread/_expected.html
+++ b/test/server-side-rendering/samples/attribute-escaped-quotes-spread/_expected.html
@ -0,0 +1,4 @@
 <div
 	foo="&#34;></div><script>alert(42)</script>"
 	bar="&#39;></div><script>alert(42)</script>"
 ></div>
--- a/test/server-side-rendering/samples/attribute-escaped-quotes-spread/main.html
+++ b/test/server-side-rendering/samples/attribute-escaped-quotes-spread/main.html
@ -0,0 +1,16 @@
 <div {...props}></div>
 <script>
 	export default {
 		data() {
 			return {
 				props: {
 					foo: '"></div><script>alert(42)</' + 'script>',
 					bar: "'></div><script>alert(42)</" + 'script>',
 					['"></div><script>alert(42)</' + 'script>']: 'baz'
 				}
 			};
 		}
 	};
 </script>
--- a/test/server-side-rendering/samples/attribute-escaped-quotes/_expected.html
+++ b/test/server-side-rendering/samples/attribute-escaped-quotes/_expected.html
@ -0,0 +1,3 @@
 <div
 	foo="&#34;></div><script>alert(42)</script>"
 ></div>
--- a/test/server-side-rendering/samples/attribute-escaped-quotes/main.html
+++ b/test/server-side-rendering/samples/attribute-escaped-quotes/main.html
@ -0,0 +1,12 @@
 <div foo={foo}></div>
 <script>
 	export default {
 		data() {
 			return {
 				foo: '"></div><script>alert(42)</' + 'script>'
 			};
 		}
 	};
 </script>