better xss mitigation

yyx990803 · yyx990803 · commit 0bee5a08e5c3 · 2014-02-10T16:05:53.000-05:00
diff --git a/src/exp-parser.js b/src/exp-parser.js
@@ -1,7 +1,8 @@
-var utils = require('./utils'),
-    stringSaveRE = /"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'/g,
+var utils           = require('./utils'),
+    stringSaveRE    = /"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'/g,
     stringRestoreRE = /"(\d+)"/g,
-    constructorRE = /(^|\.)constructor\(/
+    constructorRE   = new RegExp('constructor'.split('').join('[\'"+, ]*')),
+    unicodeRE       = /\\u\d\d\d\d/
 
 // Variable extraction scooped from https://github.com/RubyLouvre/avalon
 
@@ -110,7 +111,8 @@ module.exports = {
      *  created as bindings.
      */
     parse: function (exp, compiler) {
-        if (constructorRE.test(exp)) {
+        // unicode and 'constructor' are not allowed for XSS security.
+        if (unicodeRE.test(exp) || constructorRE.test(exp)) {
             utils.warn('Unsafe expression: ' + exp)
             return function () {}
         }
diff --git a/test/unit/specs/exp-parser.js b/test/unit/specs/exp-parser.js
@@ -112,20 +112,34 @@ describe('UNIT: Expression Parser', function () {
 
     })
 
-    describe('Basic XSS protection', function () {
+    describe('XSS protection', function () {
         
-        var cases = [{
-            xss: true,
-            exp: "constructor.constructor('alert(1)')()",
-            vm: {},
-            expectedValue: undefined
-        },
-        {
-            xss: true,
-            exp: "\"\".toString.constructor.constructor('alert(1)')()",
-            vm: {},
-            expectedValue: undefined
-        }]
+        var cases = [
+            {
+                xss: true,
+                exp: "constructor.constructor('alert(1)')()",
+                vm: {},
+                expectedValue: undefined
+            },
+            {
+                xss: true,
+                exp: "\"\".toString.constructor.constructor('alert(1)')()",
+                vm: {},
+                expectedValue: undefined
+            },
+            {
+                xss: true,
+                exp: "\"\".toString['cons' + 'tructor']['cons' + 'tructor']('alert(1)')()",
+                vm: {},
+                expectedValue: undefined
+            },
+            {
+                xss: true,
+                exp: "\"\".toString['\\u0063ons' + 'tructor']['\\u0063ons' + 'tructor']('alert(1)')()",
+                vm: {},
+                expectedValue: undefined
+            }
+        ]
 
         cases.forEach(describeCase)
 
