Skip to content

Commit

Permalink
fix: fix potential xss vulnerability in ssr
Browse files Browse the repository at this point in the history
  • Loading branch information
yyx990803 committed Aug 1, 2018
1 parent 2534219 commit c28f792
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 1 deletion.
5 changes: 5 additions & 0 deletions src/platforms/web/server/modules/attrs.js
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import {
isFalsyAttrValue
} from 'web/util/attrs'

import { isSSRUnsafeAttr } from 'web/server/util'

export default function renderAttrs (node: VNodeWithData): string {
let attrs = node.data.attrs
let res = ''
Expand All @@ -34,6 +36,9 @@ export default function renderAttrs (node: VNodeWithData): string {
}

for (const key in attrs) {
if (isSSRUnsafeAttr(key)) {
continue
}
if (key === 'style') {
// leave it to the style module
continue
Expand Down
5 changes: 5 additions & 0 deletions src/platforms/web/server/util.js
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@ const isAttr = makeMap(
'target,title,type,usemap,value,width,wrap'
)

const unsafeAttrCharRE = /[>/="'\u0009\u000a\u000c\u0020]/
export const isSSRUnsafeAttr = name => {
return unsafeAttrCharRE.test(name)
}

/* istanbul ignore next */
const isRenderableAttr = (name: string): boolean => {
return (
Expand Down
5 changes: 4 additions & 1 deletion src/server/optimizing-compiler/runtime-helpers.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/* @flow */

import { escape } from 'web/server/util'
import { escape, isSSRUnsafeAttr } from 'web/server/util'
import { isObject, extend } from 'shared/util'
import { renderAttr } from 'web/server/modules/attrs'
import { renderClass } from 'web/util/class'
Expand Down Expand Up @@ -109,6 +109,9 @@ function renderStringList (
function renderAttrs (obj: Object): string {
let res = ''
for (const key in obj) {
if (isSSRUnsafeAttr(key)) {
continue
}
res += renderAttr(key, obj[key])
}
return res
Expand Down
34 changes: 34 additions & 0 deletions test/ssr/ssr-string.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -929,6 +929,40 @@ describe('SSR: renderToString', () => {
})
})

it('should prevent xss in attribute names', done => {
renderVmWithOptions({
data: {
xss: {
'foo="bar"></div><script>alert(1)</script>': ''
}
},
template: `
<div v-bind="xss"></div>
`
}, res => {
expect(res).not.toContain(`<script>alert(1)</script>`)
done()
})
})

it('should prevent xss in attribute names (optimized)', done => {
renderVmWithOptions({
data: {
xss: {
'foo="bar"></div><script>alert(1)</script>': ''
}
},
template: `
<div>
<a v-bind="xss">foo</a>
</div>
`
}, res => {
expect(res).not.toContain(`<script>alert(1)</script>`)
done()
})
})

it('should prevent script xss with v-bind object syntax + array value', done => {
renderVmWithOptions({
data: {
Expand Down

0 comments on commit c28f792

Please sign in to comment.