Comparing version 0.0.2 to 0.0.3
0.0.3 / 2014-12-30 | ||
================== | ||
* parse AST to prevent XSS attacks. closes #3 | ||
0.0.2 / 2014-12-30 | ||
@@ -3,0 +8,0 @@ ================== |
22
index.js
@@ -6,2 +6,3 @@ /** | ||
var type = require('component-type'); | ||
var acorn = require('acorn'); | ||
var isArray = Array.isArray; | ||
@@ -82,3 +83,3 @@ var json = require('json3'); | ||
if ('/' == v[0] && rregexp.test(v)) return stor(v); | ||
if ('function' == v.slice(0, 8) && '}' == v[v.length - 1]) return stof(v); | ||
if ('function' == v.slice(0, 8) && '}' == v[v.length - 1] && isfn(v)) return stof(v); | ||
return v; | ||
@@ -123,1 +124,20 @@ } | ||
} | ||
/** | ||
* Parse the AST to ensure function & prevent XSS, | ||
* otherwise throw. | ||
* | ||
* https://github.com/lapwinglabs/superjson/issues/3 | ||
* | ||
* @param {String} str | ||
* @return {Boolean} | ||
*/ | ||
function isfn(str) { | ||
try { | ||
var obj = acorn.parse('(' + str + ')'); | ||
return obj.body[0].expression.type == 'FunctionExpression'; | ||
} catch (e) { | ||
throw new SyntaxError('"' + str + '" is not a function') | ||
} | ||
} |
{ | ||
"name": "superjson", | ||
"version": "0.0.2", | ||
"version": "0.0.3", | ||
"description": "extends JSON.stringify and JSON.parse to support additional JS types (Dates, RegExps, Functions, etc.)", | ||
@@ -12,2 +12,3 @@ "keywords": [], | ||
"dependencies": { | ||
"acorn": "^0.11.0", | ||
"component-type": "^1.1.0", | ||
@@ -17,6 +18,5 @@ "json3": "^3.3.2" | ||
"devDependencies": { | ||
"mocha": "*", | ||
"should": "*" | ||
"mocha": "*" | ||
}, | ||
"main": "index" | ||
} | ||
} |
Sorry, the diff of this file is not supported yet
5480
1
121
3
+ Addedacorn@^0.11.0
+ Addedacorn@0.11.0(transitive)