Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
angular-expressions
Advanced tools
angular's nicest part extracted as a standalone module for the browser and node.
angular-expressions exposes a .compile()
-method which can be used to compile evaluable expressions:
var expressions = require("angular-expressions");
evaluate = expressions.compile("1 + 1");
evaluate(); // returns 2
You can also set and get values on a given scope
:
evaluate = expressions.compile("name");
scope = { name: "Jenny" };
evaluate(scope); // returns 'Jenny'
evaluate = expressions.compile("ship.pirate.name = 'Störtebeker'");
evaluate(scope); // won't throw an error because angular's expressions are forgiving
console.log(scope.ship.pirate.name); // prints 'Störtebeker'
For assigning values, you can also use .assign()
:
evaluate = expressions.compile("ship.pirate.name");
evaluate.assign(scope, "Störtebeker");
console.log(scope.ship.pirate.name); // prints 'Störtebeker'
Check out their readme for further information.
Angular provides a mechanism to define filters on expressions:
expressions.filters.uppercase = (input) => input.toUpperCase();
expr = expressions.compile("'arr' | uppercase");
expr(); // returns 'ARR'
Arguments are evaluated against the scope:
expressions.filters.currency = (input, currency, digits) => {
input = input.toFixed(digits);
if (currency === "EUR") {
return input + "€";
} else {
return input + "$";
}
};
expr = expressions.compile("1.2345 | currency:selectedCurrency:2");
expr({
selectedCurrency: "EUR",
}); // returns '1.23€'
If you need an isolated filters
object, this can be achieved by setting the filters
attribute in the options
argument. Global cache is disabled if using options.filters
. To setup an isolated cache, you can also set the cache
attribute in the options
argument:
var isolatedFilters = {
transform: (input) => input.toLowerCase(),
};
var isolatedCache = {};
var resultOne = expressions.compile("'Foo Bar' | transform", {
filters: isolatedFilters,
cache: isolatedCache,
});
console.log(resultOne()); // prints 'foo bar'
console.log(isolatedCache); // prints '{"'Foo Bar' | transform": [Function fn] }'
Compiles src
and returns a function evaluate()
. The compiled function is cached under compile.cache[src]
to speed up further calls.
Compiles also export the AST.
Example output of: compile("tmp + 1").ast
{ type: 'Program',
body:
[ { type: 'ExpressionStatement',
expression:
{ type: 'Identifier',
name: 'tmp',
constant: false,
toWatch: [ [Circular] ] } } ],
constant: false }
NOTE angular $parse do not export ast variable it's done by this library.
A cache containing all compiled functions. The src is used as key. Set this on false
to disable the cache.
An empty object where you may define your custom filters.
The internal Lexer.
The internal Parser.
Evaluates the compiled src
and returns the result of the expression. Property look-ups or assignments are executed on a given scope
.
Tries to assign the given value
to the result of the compiled expression on the given scope
and returns the result of the assignment.
There is no dist
build because it's not 2005 anymore. Use a module bundler like webpack or browserify. They're both capable of CommonJS and AMD.
The code of angular was not secured from reading prototype, and since version 1.0.1 of angular-expressions, the module disallows reading properties that are not ownProperties. See this blog post for more details about the sandbox that got removed completely in angular 1.6.
Comment from angular.js/src/ng/parse.js
:
Angular expressions are generally considered safe because these expressions only have direct access to $scope and locals. However, one can obtain the ability to execute arbitrary JS code by obtaining a reference to native JS functions such as the Function constructor.
As an example, consider the following Angular expression:
{}.toString.constructor(alert("evil JS code"))
We want to prevent this type of access. For the sake of performance, during the lexing phase we disallow any "dotted" access to any member named "constructor".
For reflective calls (a[b]) we check that the value of the lookup is not the Function constructor while evaluating the expression, which is a stronger but more expensive test. Since reflective calls are expensive anyway, this is not such a big deal compared to static dereferencing. This sandboxing technique is not perfect and doesn't aim to be. The goal is to prevent exploits against the expression language, but not to prevent exploits that were enabled by exposing sensitive JavaScript or browser apis on Scope. Exposing such objects on a Scope is never a good practice and therefore we are not even trying to protect against interaction with an object explicitly exposed in this way.
A developer could foil the name check by aliasing the Function constructor under a different name on the scope.
In general, it is not possible to access a Window object from an angular expression unless a window or some DOM object that has a reference to window is published onto a Scope.
Kudos go entirely to the great angular.js team, it's their implementation!
Suggestions and bug-fixes are always appreciated. Don't hesitate to create an issue or pull-request. All contributed code should pass
npm test
npm run test-browser
and then visiting http://localhost:8080/bundle
1.4.0
Add support for handleThis: false
to disable handling of this.
(By default handleThis is true).
This way, if you write : {this | filter}
, the this
will be used as a key
from the scope, eg scope["this"]
.
FAQs
Angular expressions as standalone module
We found that angular-expressions demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 9 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.