Don't use _.template
for variable interpolation
It depends on `eval` which is unsafe.
This commit is contained in:
parent
4d34952eae
commit
fa6569352c
@ -1,5 +1,9 @@
|
||||
# Changelog
|
||||
|
||||
## 3.3.4 (Unreleased)
|
||||
|
||||
- Avoid `eval` (via `_.template` from lodash).
|
||||
|
||||
## 3.3.3 (2018-02-14)
|
||||
|
||||
### Bugfixes
|
||||
|
@ -1862,7 +1862,7 @@
|
||||
i18n.fetchTranslations(
|
||||
_converse.locale,
|
||||
_converse.locales,
|
||||
_.template(_converse.locales_url)({'locale': _converse.locale}))
|
||||
u.interpolate(_converse.locales_url, {'locale': _converse.locale}))
|
||||
.catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL))
|
||||
.then(finishInitialization)
|
||||
.catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL));
|
||||
|
@ -646,6 +646,14 @@
|
||||
return promise;
|
||||
};
|
||||
|
||||
u.interpolate = function (string, o) {
|
||||
return string.replace(/{{{([^{}]*)}}}/g,
|
||||
(a, b) => {
|
||||
var r = o[b];
|
||||
return typeof r === 'string' || typeof r === 'number' ? r : a;
|
||||
});
|
||||
};
|
||||
|
||||
u.safeSave = function (model, attributes) {
|
||||
if (u.isPersistableModel(model)) {
|
||||
model.save(attributes);
|
||||
|
Loading…
Reference in New Issue
Block a user