Chapril/xmpp.chapril.org-conversejs
Chapril/xmpp.chapril.org-conversejs
25
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

Don't use _.template for variable interpolation

Browse Source 
It depends on `eval` which is unsafe.
This commit is contained in:
JC Brand 2018-02-19 10:35:58 +01:00
parent 4d34952eae
commit fa6569352c
3 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES.md
View File

@ -1,5 +1,9 @@
# Changelog # Changelog
## 3.3.4 (Unreleased)
- Avoid `eval` (via `_.template` from lodash).
## 3.3.3 (2018-02-14) ## 3.3.3 (2018-02-14)
### Bugfixes ### Bugfixes

2
src/converse-core.js
View File

@ -1862,7 +1862,7 @@
i18n.fetchTranslations( i18n.fetchTranslations(
_converse.locale, _converse.locale,
_converse.locales, _converse.locales,
_.template(_converse.locales_url)({'locale': _converse.locale})) u.interpolate(_converse.locales_url, {'locale': _converse.locale}))
.catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL)) .catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL))
.then(finishInitialization) .then(finishInitialization)
.catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL)); .catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL));

8
src/utils.js
View File

@ -646,6 +646,14 @@
return promise; return promise;
}; };
u.interpolate = function (string, o) {
return string.replace(/{{{([^{}]*)}}}/g,
(a, b) => {
var r = o[b];
return typeof r === 'string' || typeof r === 'number' ? r : a;
});
};
u.safeSave = function (model, attributes) { u.safeSave = function (model, attributes) {
if (u.isPersistableModel(model)) { if (u.isPersistableModel(model)) {
model.save(attributes); model.save(attributes);