auth0-lock
Advanced tools
Comparing version 11.32.2 to 11.33.0
@@ -161,2 +161,71 @@ 'use strict'; | ||
}); | ||
it('sanitizes additionalSignUp fields using dompurify', function () { | ||
var id = 1; | ||
var hookRunner = jest.fn(function (str, m, context, fn) { | ||
return fn(); | ||
}); | ||
require('connection/database/index').databaseConnectionName = function () { | ||
return 'test-connection'; | ||
}; | ||
require('connection/database/index').shouldAutoLogin = function () { | ||
return true; | ||
}; | ||
// Test different fields using some examples from DOMPurify | ||
// https://github.com/cure53/DOMPurify#some-purification-samples-please | ||
var m = _immutable2.default.fromJS({ | ||
field: { | ||
email: { | ||
value: 'test@email.com' | ||
}, | ||
password: { | ||
value: 'testpass' | ||
}, | ||
family_name: { | ||
value: 'Test <a href="https://www.google.co.uk">Fake link</a>' // HTML but not malicious | ||
}, | ||
given_name: { | ||
value: '<img src=x onerror=alert(1)//>' | ||
}, | ||
name: { | ||
value: '<p>abc<iframe//src=jAva	script:alert(3)>def</p>' | ||
}, | ||
other_name: { | ||
value: '<div onclick=alert(0)><form onsubmit=alert(1)><input onfocus=alert(2) name=parentNode>123</form></div>' | ||
} | ||
}, | ||
database: { | ||
additionalSignUpFields: [{ name: 'family_name', storage: 'root' }, { name: 'given_name', storage: 'root' }, { name: 'name', storage: 'root' }, { name: 'other_name' }] | ||
}, | ||
core: { | ||
hookRunner: hookRunner | ||
} | ||
}); | ||
(0, _store.swap)(_store.setEntity, 'lock', id, m); | ||
(0, _actions.signUp)(id); | ||
var _coreActionsMock3 = coreActionsMock(), | ||
validateAndSubmitMock = _coreActionsMock3.validateAndSubmit.mock; | ||
validateAndSubmitMock.calls[0][2](m); | ||
var _webApiMock3 = webApiMock(), | ||
signUpMock = _webApiMock3.signUp.mock; | ||
expect(signUpMock.calls[0][1]).toMatchObject({ | ||
connection: 'test-connection', | ||
email: 'test@email.com', | ||
password: 'testpass', | ||
autoLogin: true, | ||
family_name: 'Test Fake link', | ||
given_name: '', | ||
name: 'abc', | ||
user_metadata: { | ||
other_name: '123' | ||
} | ||
}); | ||
}); | ||
}); |
@@ -16,6 +16,2 @@ 'use strict'; | ||
var _immutable = require('immutable'); | ||
var _immutable2 = _interopRequireDefault(_immutable); | ||
var _index = require('../../store/index'); | ||
@@ -37,2 +33,4 @@ | ||
var _dompurify = require('dompurify'); | ||
var _index4 = require('./index'); | ||
@@ -141,3 +139,4 @@ | ||
var fieldName = x.get('name'); | ||
var fieldValue = c.getFieldValue(m, x.get('name')); | ||
var fieldValue = (0, _dompurify.sanitize)(c.getFieldValue(m, x.get('name')), { ALLOWED_TAGS: [] }); | ||
switch (storage) { | ||
@@ -144,0 +143,0 @@ case 'root': |
@@ -51,32 +51,50 @@ 'use strict'; | ||
var Component = function Component(_ref) { | ||
var i18n = _ref.i18n, | ||
model = _ref.model; | ||
var Component = function (_React$Component) { | ||
_inherits(Component, _React$Component); | ||
var headerText = i18n.html('forgotPasswordInstructions') || null; | ||
var header = headerText && _react2.default.createElement( | ||
'p', | ||
null, | ||
headerText | ||
); | ||
var connectionResolver = l.connectionResolver(model); | ||
function Component() { | ||
_classCallCheck(this, Component); | ||
// When using a custom connection resolver, `usernameStyle` is always 'username' (as opposed to 'email'). | ||
// If the user has entered an email address as the username, and a custom resolver is being used, copy the | ||
// value from the 'username' field to the 'email' field so that `EmailPane` can render it. | ||
if (connectionResolver) { | ||
var field = (0, _field.getField)(model, 'username'); | ||
var value = field.get('value', ''); | ||
(0, _index4.swap)(_index4.updateEntity, 'lock', l.id(model), _email.setEmail, (0, _email.isEmail)(value, false) ? value : '', false); | ||
return _possibleConstructorReturn(this, _React$Component.apply(this, arguments)); | ||
} | ||
return _react2.default.createElement(_reset_password_pane2.default, { | ||
emailInputPlaceholder: i18n.str('emailInputPlaceholder'), | ||
header: header, | ||
i18n: i18n, | ||
lock: model | ||
}); | ||
}; | ||
Component.prototype.componentDidMount = function componentDidMount() { | ||
var model = this.props.model; | ||
var connectionResolver = l.connectionResolver(model); | ||
// When using a custom connection resolver, `usernameStyle` is always 'username' (as opposed to 'email'). | ||
// If the user has entered an email address as the username, and a custom resolver is being used, copy the | ||
// value from the 'username' field to the 'email' field so that `EmailPane` can render it. | ||
if (connectionResolver) { | ||
var field = (0, _field.getField)(model, 'username'); | ||
var value = field.get('value', ''); | ||
(0, _index4.swap)(_index4.updateEntity, 'lock', l.id(model), _email.setEmail, (0, _email.isEmail)(value, false) ? value : '', false); | ||
} | ||
}; | ||
Component.prototype.render = function render() { | ||
var _props = this.props, | ||
i18n = _props.i18n, | ||
model = _props.model; | ||
var headerText = i18n.html('forgotPasswordInstructions') || null; | ||
var header = headerText && _react2.default.createElement( | ||
'p', | ||
null, | ||
headerText | ||
); | ||
return _react2.default.createElement(_reset_password_pane2.default, { | ||
emailInputPlaceholder: i18n.str('emailInputPlaceholder'), | ||
header: header, | ||
i18n: i18n, | ||
lock: model | ||
}); | ||
}; | ||
return Component; | ||
}(_react2.default.Component); | ||
var ResetPassword = function (_Screen) { | ||
@@ -83,0 +101,0 @@ _inherits(ResetPassword, _Screen); |
@@ -89,8 +89,11 @@ 'use strict'; | ||
function getPasswordlessConnectionName(m, defaultPasswordlessConnection) { | ||
var connections = l.connections(m, 'passwordless', defaultPasswordlessConnection); | ||
return connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : defaultPasswordlessConnection; | ||
} | ||
function sendEmail(m, successFn, errorFn) { | ||
var connections = l.connections(m, 'passwordless', 'email'); | ||
var connectionName = connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : 'email'; | ||
var params = { | ||
connection: connectionName, | ||
connection: getPasswordlessConnectionName(m, 'email'), | ||
email: c.getFieldValue(m, 'email'), | ||
@@ -117,7 +120,4 @@ send: (0, _index4.send)(m) | ||
(0, _actions.validateAndSubmit)(id, ['phoneNumber'], function (m) { | ||
var connections = l.connections(m, 'passwordless', 'sms'); | ||
var connectionName = connections.size > 0 && l.useCustomPasswordlessConnection(m) ? connections.first().get('name') : 'sms'; | ||
var params = { | ||
connection: connectionName, | ||
connection: getPasswordlessConnectionName(m, 'sms'), | ||
phoneNumber: (0, _phone_number.phoneNumberWithDiallingCode)(m), | ||
@@ -160,6 +160,6 @@ send: (0, _index4.send)(m) | ||
if ((0, _index4.isEmail)(m)) { | ||
params.connection = 'email'; | ||
params.connection = getPasswordlessConnectionName(m, 'email'); | ||
params.email = c.getFieldValue(m, 'email'); | ||
} else { | ||
params.connection = 'sms'; | ||
params.connection = getPasswordlessConnectionName(m, 'sms'); | ||
params.phoneNumber = (0, _phone_number.phoneNumberWithDiallingCode)(m); | ||
@@ -166,0 +166,0 @@ } |
@@ -179,3 +179,3 @@ 'use strict'; | ||
function getVersion() { | ||
return '11.32.2'; | ||
return '11.33.0'; | ||
} |
@@ -128,3 +128,3 @@ 'use strict'; | ||
method: 'registerLanguageDictionary', | ||
url: l.languageBaseUrl(m) + '/js/lock/' + '11.32.2' + '/' + language + '.js', | ||
url: l.languageBaseUrl(m) + '/js/lock/' + '11.33.0' + '/' + language + '.js', | ||
check: function check(str) { | ||
@@ -131,0 +131,0 @@ return str && str === language; |
@@ -45,3 +45,3 @@ 'use strict'; | ||
exports.default = Auth0Lock; | ||
Auth0Lock.version = '11.32.2'; | ||
Auth0Lock.version = '11.33.0'; | ||
@@ -48,0 +48,0 @@ // TODO: should we have different telemetry for classic/passwordless? |
@@ -44,2 +44,2 @@ 'use strict'; | ||
Auth0LockPasswordless.version = '11.32.2'; | ||
Auth0LockPasswordless.version = '11.33.0'; |
@@ -35,3 +35,3 @@ 'use strict'; | ||
if (!container && shouldAppend) { | ||
container = window.document.createElement('div'); | ||
container = window.document.createElement('main'); | ||
container.id = id; | ||
@@ -38,0 +38,0 @@ container.className = 'auth0-lock-container'; |
{ | ||
"name": "auth0-lock", | ||
"version": "11.32.2", | ||
"version": "11.33.0", | ||
"description": "Auth0 Lock", | ||
@@ -112,3 +112,3 @@ "author": "Auth0 <support@auth0.com> (http://auth0.com)", | ||
"classnames": "^2.3.1", | ||
"dompurify": "^2.3.4", | ||
"dompurify": "^2.3.5", | ||
"immutable": "^3.7.3", | ||
@@ -115,0 +115,0 @@ "jsonp": "^0.2.1", |
@@ -28,3 +28,3 @@ [![NPM version][npm-image]][npm-url] | ||
<!-- Latest patch release (recommended for production) --> | ||
<script src="https://cdn.auth0.com/js/lock/11.32.2/lock.min.js"></script> | ||
<script src="https://cdn.auth0.com/js/lock/11.33.0/lock.min.js"></script> | ||
``` | ||
@@ -494,2 +494,4 @@ | ||
:warning: **Note**: From `11.33.0` onwards, all HTML tags are stripped from user input into custom signup fields. | ||
##### Text field | ||
@@ -496,0 +498,0 @@ |
Sorry, the diff of this file is too big to display
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
1478635
24414
710
Updateddompurify@^2.3.5