Don't use _.template for variable interpolation

It depends on `eval` which is unsafe.
This commit is contained in:
JC Brand 2018-02-19 10:35:58 +01:00
parent 4d34952eae
commit fa6569352c
3 changed files with 13 additions and 1 deletions

View File

@ -1,5 +1,9 @@
# Changelog
## 3.3.4 (Unreleased)
- Avoid `eval` (via `_.template` from lodash).
## 3.3.3 (2018-02-14)
### Bugfixes

View File

@ -1862,7 +1862,7 @@
i18n.fetchTranslations(
_converse.locale,
_converse.locales,
_.template(_converse.locales_url)({'locale': _converse.locale}))
u.interpolate(_converse.locales_url, {'locale': _converse.locale}))
.catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL))
.then(finishInitialization)
.catch(_.partial(_converse.log, _, Strophe.LogLevel.FATAL));

View File

@ -646,6 +646,14 @@
return promise;
};
u.interpolate = function (string, o) {
return string.replace(/{{{([^{}]*)}}}/g,
(a, b) => {
var r = o[b];
return typeof r === 'string' || typeof r === 'number' ? r : a;
});
};
u.safeSave = function (model, attributes) {
if (u.isPersistableModel(model)) {
model.save(attributes);