Merge pull request #1623 from sveltejs/CVE-2018-6341

Sanitize spread attributes in SSR
6 years ago · 065d0f7411
parent e1c5eba3cc 45c52c5eb2
commit 065d0f7411
6 changed files with 48 additions and 2 deletions
--- a/src/compile/Compiler.ts
+++ b/src/compile/Compiler.ts
@ -310,7 +310,7 @@ export default class Compiler {
 						: `_svelteTransitionManager`;

 					inlineHelpers += `\n\nvar ${this.alias(name)} = window.${global} || (window.${global} = ${code});\n\n`;
-				} else if (name === 'escaped' || name === 'missingComponent') {
+				} else if (name === 'escaped' || name === 'missingComponent' || name === 'invalidAttributeNameCharacter') {
 					// vars are an awkward special case... would be nice to avoid this
 					const alias = this.alias(name);
 					inlineHelpers += `\n\nconst ${alias} = ${code};`
--- a/src/shared/ssr.js
+++ b/src/shared/ssr.js
@ -1,12 +1,23 @@
+// https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
+// https://infra.spec.whatwg.org/#noncharacter
+export const invalidAttributeNameCharacter = /[\s'"<\/=\u{FDD0}-\u{FDEF}\u{FFFE}\u{FFFF}\u{1FFFE}\u{1FFFF}\u{2FFFE}\u{2FFFF}\u{3FFFE}\u{3FFFF}\u{4FFFE}\u{4FFFF}\u{5FFFE}\u{5FFFF}\u{6FFFE}\u{6FFFF}\u{7FFFE}\u{7FFFF}\u{8FFFE}\u{8FFFF}\u{9FFFE}\u{9FFFF}\u{AFFFE}\u{AFFFF}\u{BFFFE}\u{BFFFF}\u{CFFFE}\u{CFFFF}\u{DFFFE}\u{DFFFF}\u{EFFFE}\u{EFFFF}\u{FFFFE}\u{FFFFF}\u{10FFFE}\u{10FFFF}]/u;
+
 export function spread(args) {
 	const attributes = Object.assign({}, ...args);
 	let str = '';

 	Object.keys(attributes).forEach(name => {
+		if (invalidAttributeNameCharacter.test(name)) return;
+
 		const value = attributes[name];
 		if (value === undefined) return;
 		if (value === true) str += " " + name;
-		str += " " + name + "=" + JSON.stringify(value);
+
+		const escaped = String(value)
+			.replace(/"/g, '&#34;')
+			.replace(/'/g, '&#39;');
+
+		str += " " + name + "=" + JSON.stringify(escaped);
 	});

 	return str;
--- a/test/server-side-rendering/samples/attribute-escaped-quotes-spread/_expected.html
+++ b/test/server-side-rendering/samples/attribute-escaped-quotes-spread/_expected.html
@ -0,0 +1,4 @@
+<div
+	foo="&#34;></div><script>alert(42)</script>"
+	bar="&#39;></div><script>alert(42)</script>"
+></div>
--- a/test/server-side-rendering/samples/attribute-escaped-quotes-spread/main.html
+++ b/test/server-side-rendering/samples/attribute-escaped-quotes-spread/main.html
@ -0,0 +1,16 @@
+<div {...props}></div>
+
+<script>
+
+	export default {
+		data() {
+			return {
+				props: {
+					foo: '"></div><script>alert(42)</' + 'script>',
+					bar: "'></div><script>alert(42)</" + 'script>',
+					['"></div><script>alert(42)</' + 'script>']: 'baz'
+				}
+			};
+		}
+	};
+</script>
--- a/test/server-side-rendering/samples/attribute-escaped-quotes/_expected.html
+++ b/test/server-side-rendering/samples/attribute-escaped-quotes/_expected.html
@ -0,0 +1,3 @@
+<div
+	foo="&#34;></div><script>alert(42)</script>"
+></div>
--- a/test/server-side-rendering/samples/attribute-escaped-quotes/main.html
+++ b/test/server-side-rendering/samples/attribute-escaped-quotes/main.html
@ -0,0 +1,12 @@
+<div foo={foo}></div>
+
+<script>
+
+	export default {
+		data() {
+			return {
+				foo: '"></div><script>alert(42)</' + 'script>'
+			};
+		}
+	};
+</script>