auth0-lock - npm Package Compare versions

Comparing version 11.32.2 to 11.33.0

lib/__tests__/connection/database/actions.js

@@ -161,2 +161,71 @@ 'use strict';
   });
+
+  it('sanitizes additionalSignUp fields using dompurify', function () {
+    var id = 1;
+    var hookRunner = jest.fn(function (str, m, context, fn) {
+      return fn();
+    });
+
+    require('connection/database/index').databaseConnectionName = function () {
+      return 'test-connection';
+    };
+    require('connection/database/index').shouldAutoLogin = function () {
+      return true;
+    };
+
+    // Test different fields using some examples from DOMPurify
+    // https://github.com/cure53/DOMPurify#some-purification-samples-please
+    var m = _immutable2.default.fromJS({
+      field: {
+        email: {
+          value: 'test@email.com'
+        },
+        password: {
+          value: 'testpass'
+        },
+        family_name: {
+          value: 'Test <a href="https://www.google.co.uk">Fake link</a>' // HTML but not malicious
+        },
+        given_name: {
+          value: '<img src=x onerror=alert(1)//>'
+        },
+        name: {
+          value: '<p>abc<iframe//src=jAva&Tab;script:alert(3)>def</p>'
+        },
+        other_name: {
+          value: '<div onclick=alert(0)><form onsubmit=alert(1)><input onfocus=alert(2) name=parentNode>123</form></div>'
+        }
+      },
+      database: {
+        additionalSignUpFields: [{ name: 'family_name', storage: 'root' }, { name: 'given_name', storage: 'root' }, { name: 'name', storage: 'root' }, { name: 'other_name' }]
+      },
+      core: {
+        hookRunner: hookRunner
+      }
+    });
+
+    (0, _store.swap)(_store.setEntity, 'lock', id, m);
+    (0, _actions.signUp)(id);
+
+    var _coreActionsMock3 = coreActionsMock(),
+        validateAndSubmitMock = _coreActionsMock3.validateAndSubmit.mock;
+
+    validateAndSubmitMock.calls[0][2](m);
+
+    var _webApiMock3 = webApiMock(),
+        signUpMock = _webApiMock3.signUp.mock;
+
+    expect(signUpMock.calls[0][1]).toMatchObject({
+      connection: 'test-connection',
+      email: 'test@email.com',
+      password: 'testpass',
+      autoLogin: true,
+      family_name: 'Test Fake link',
+      given_name: '',
+      name: 'abc',
+      user_metadata: {
+        other_name: '123'
+      }
+    });
+  });
 });

lib/connection/database/actions.js

@@ -16,6 +16,2 @@ 'use strict';
 
-var _immutable = require('immutable');
-
-var _immutable2 = _interopRequireDefault(_immutable);
-
 var _index = require('../../store/index');
@@ -37,2 +33,4 @@
 
+var _dompurify = require('dompurify');
+
 var _index4 = require('./index');
@@ -141,3 +139,4 @@
         var fieldName = x.get('name');
-        var fieldValue = c.getFieldValue(m, x.get('name'));
+        var fieldValue = (0, _dompurify.sanitize)(c.getFieldValue(m, x.get('name')), { ALLOWED_TAGS: [] });
+
         switch (storage) {
@@ -144,0 +143,0 @@ case 'root':

lib/connection/database/reset_password.js

@@ -51,32 +51,50 @@ 'use strict';
 
-var Component = function Component(_ref) {
-  var i18n = _ref.i18n,
-      model = _ref.model;
+var Component = function (_React$Component) {
+  _inherits(Component, _React$Component);
 
-  var headerText = i18n.html('forgotPasswordInstructions') || null;
-  var header = headerText && _react2.default.createElement(
-    'p',
-    null,
-    headerText
-  );
-  var connectionResolver = l.connectionResolver(model);
+  function Component() {
+    _classCallCheck(this, Component);
 
-  // When using a custom connection resolver, `usernameStyle` is always 'username' (as opposed to 'email').
-  // If the user has entered an email address as the username, and a custom resolver is being used, copy the
-  // value from the 'username' field to the 'email' field so that `EmailPane` can render it.
-  if (connectionResolver) {
-    var field = (0, _field.getField)(model, 'username');
-    var value = field.get('value', '');
-
-    (0, _index4.swap)(_index4.updateEntity, 'lock', l.id(model), _email.setEmail, (0, _email.isEmail)(value, false) ? value : '', false);
+    return _possibleConstructorReturn(this, _React$Component.apply(this, arguments));
   }
 
-  return _react2.default.createElement(_reset_password_pane2.default, {
-    emailInputPlaceholder: i18n.str('emailInputPlaceholder'),
-    header: header,
-    i18n: i18n,
-    lock: model
-  });
-};
+  Component.prototype.componentDidMount = function componentDidMount() {
+    var model = this.props.model;
 
+    var connectionResolver = l.connectionResolver(model);
+
+    // When using a custom connection resolver, `usernameStyle` is always 'username' (as opposed to 'email').
+    // If the user has entered an email address as the username, and a custom resolver is being used, copy the
+    // value from the 'username' field to the 'email' field so that `EmailPane` can render it.
+    if (connectionResolver) {
+      var field = (0, _field.getField)(model, 'username');
+      var value = field.get('value', '');
+
+      (0, _index4.swap)(_index4.updateEntity, 'lock', l.id(model), _email.setEmail, (0, _email.isEmail)(value, false) ? value : '', false);
+    }
+  };
+
+  Component.prototype.render = function render() {
+    var _props = this.props,
+        i18n = _props.i18n,
+        model = _props.model;
+
+    var headerText = i18n.html('forgotPasswordInstructions') || null;
+    var header = headerText && _react2.default.createElement(
+      'p',
+      null,
+      headerText
+    );
+
+    return _react2.default.createElement(_reset_password_pane2.default, {
+      emailInputPlaceholder: i18n.str('emailInputPlaceholder'),
+      header: header,
+      i18n: i18n,
+      lock: model
+    });
+  };
+
+  return Component;
+}(_react2.default.Component);
+
 var ResetPassword = function (_Screen) {
@@ -83,0 +101,0 @@ _inherits(ResetPassword, _Screen);

lib/connection/passwordless/actions.js

@@ -89,8 +89,11 @@ 'use strict';
 
+function getPasswordlessConnectionName(m, defaultPasswordlessConnection) {
+  var connections = l.connections(m, 'passwordless', defaultPasswordlessConnection);
+
+  return connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : defaultPasswordlessConnection;
+}
+
 function sendEmail(m, successFn, errorFn) {
-  var connections = l.connections(m, 'passwordless', 'email');
-  var connectionName = connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : 'email';
-
   var params = {
-    connection: connectionName,
+    connection: getPasswordlessConnectionName(m, 'email'),
     email: c.getFieldValue(m, 'email'),
@@ -117,7 +120,4 @@ send: (0, _index4.send)(m)
   (0, _actions.validateAndSubmit)(id, ['phoneNumber'], function (m) {
-    var connections = l.connections(m, 'passwordless', 'sms');
-    var connectionName = connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : 'sms';
-
     var params = {
-      connection: connectionName,
+      connection: getPasswordlessConnectionName(m, 'sms'),
       phoneNumber: (0, _phone_number.phoneNumberWithDiallingCode)(m),
@@ -160,6 +160,6 @@ send: (0, _index4.send)(m)
   if ((0, _index4.isEmail)(m)) {
-    params.connection = 'email';
+    params.connection = getPasswordlessConnectionName(m, 'email');
     params.email = c.getFieldValue(m, 'email');
   } else {
-    params.connection = 'sms';
+    params.connection = getPasswordlessConnectionName(m, 'sms');
     params.phoneNumber = (0, _phone_number.phoneNumberWithDiallingCode)(m);
@@ -166,0 +166,0 @@ }

lib/core/web_api/helper.js

@@ -179,3 +179,3 @@ 'use strict';
 function getVersion() {
-  return '11.32.2';
+  return '11.33.0';
 }

lib/i18n.js

@@ -128,3 +128,3 @@ 'use strict';
     method: 'registerLanguageDictionary',
-    url: l.languageBaseUrl(m) + '/js/lock/' + '11.32.2' + '/' + language + '.js',
+    url: l.languageBaseUrl(m) + '/js/lock/' + '11.33.0' + '/' + language + '.js',
     check: function check(str) {
@@ -131,0 +131,0 @@ return str && str === language;

lib/lock.js

@@ -45,3 +45,3 @@ 'use strict';
 exports.default = Auth0Lock;
-Auth0Lock.version = '11.32.2';
+Auth0Lock.version = '11.33.0';
 
@@ -48,0 +48,0 @@ // TODO: should we have different telemetry for classic/passwordless?

lib/passwordless.js

@@ -44,2 +44,2 @@ 'use strict';
 
-Auth0LockPasswordless.version = '11.32.2';
+Auth0LockPasswordless.version = '11.33.0';

lib/ui/box.js

@@ -35,3 +35,3 @@ 'use strict';
     if (!container && shouldAppend) {
-      container = window.document.createElement('div');
+      container = window.document.createElement('main');
       container.id = id;
@@ -38,0 +38,0 @@ container.className = 'auth0-lock-container';

package.json

 {
   "name": "auth0-lock",
-  "version": "11.32.2",
+  "version": "11.33.0",
   "description": "Auth0 Lock",
@@ -112,3 +112,3 @@ "author": "Auth0 <support@auth0.com> (http://auth0.com)",
     "classnames": "^2.3.1",
-    "dompurify": "^2.3.4",
+    "dompurify": "^2.3.5",
     "immutable": "^3.7.3",
@@ -115,0 +115,0 @@ "jsonp": "^0.2.1",

README.md

@@ -28,3 +28,3 @@ [![NPM version][npm-image]][npm-url]
 <!-- Latest patch release (recommended for production) -->
-<script src="https://cdn.auth0.com/js/lock/11.32.2/lock.min.js"></script>
+<script src="https://cdn.auth0.com/js/lock/11.33.0/lock.min.js"></script>
 ```
@@ -494,2 +494,4 @@
 
+:warning: **Note**: From `11.33.0` onwards, all HTML tags are stripped from user input into custom signup fields.
+
 ##### Text field
@@ -496,0 +498,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

1478635

increased by0.28%

Lines of code

24414

increased by0.3%

Number of lines in readme file

710

increased by0.28%

Dependency changes

• Updateddompurify@^2.3.5